How to properly set up DNS SPF records?

I'm sending weekly emails to subscribers and it turns out that messages are frequently going to the spam folder for users.

I'm utilizing Amazon SES to send these messages and have added an SPF record according to their instructions: http://docs.amazonwebservices.com/ses/latest/DeveloperGuide/SPFSenderIDDKIM.html?r=3917

In querying the SPF records for my domain I get the following back from http://www.kitterman.com/spf/validate.html:

SPF record lookup and validation for: mydomain.tld

SPF records are primarily published in DNS as TXT records.

The TXT records found for your domain are:


SPF records should also be published in DNS as type SPF records.
Type SPF records found for the domain are:


Checking to see if there is a valid SPF record. 

Found v=spf1 record for mydomain.tld: 
v=spf1 include:amazonses.com ?all 

evaluating...
Results - record processed without error.

The result of the test (this should be the default result of your record) was, none . The explanation returned was,

For my CloudFlare DNS records I have:

SPF  mydomain.tld   v=spf1 include:amazonses.com ?all   with automatic TTL
TXT  mydomain.tld   spf2.0/pra include:amazonses.com ?all   with automatic TTL

The emails are being sent from "[email protected]" and "[email protected]".

Some users have reported seeing the following message: "Messages that falsely appear to be a "bounced message" response (a system-generated email that you might automatically get after sending a message that can't be delivered such as a message sent to an invalid email address)"

With my current sending solution I can't add a DKIM to the emails.

How can this be resolved so as to ameliorate any kind of receipt issues for our users?

Are there TWO txt records for your domain, ie: 1) yourdomain.tld: "v=spf1 include:amazonses.com ~all" and then 2) yourdomain.tld:"spf2.0/pra include:amazonses.com ~all"?

@ylluminate: Indeed, though they might not need to be (the test you are running only seems to care about the one you have, see my update) - I never analyzed SPF requirements in detail, rather just applied the existing examples until 2-3 of these SPF tests returned 'all green' ;) The other one stems from Authenticating Email with Sender ID - I've fixed the misleading link now (which went to Authenticating Email with SPF rather than their parent).

@ylluminate: Just to clarify (and for later reference) - reading the linked SES documentation and the related RFCs again confirms, that SES currently supports three complimentary authentication mechanisms [...]: SPF, Sender ID, and DKIM. The record you are using already is SPF (obviously), while the 2nd one we are using is Sender ID. Accordingly, you don't require Sender ID, but For the best delivery rates, and to help prevent spoofing and phishing, [AWS recommends] that all Amazon SES users maintain both SPF records (v=spf1) and Sender ID records (spf2.0/pra) in their DNS servers.

I was indeed attempting to add SPF and Sender ID. On CloudFlare (my DNS management platform) I have used their SPF record for the SPF and a TXT record for Sender ID. I believe perhaps I could have used their SPF field for both, but I just used these two for the time being. The records seem to be returning properly now thanks to your clarification. You note "all green" in your message above; do you use a testing panel that gives a simple test to verify ns validity for email records such as SPF? Would be interested in what it is if so.

will it also take some time to propagate DNS after the mentioned TXT records are added?