SPF Macro Validation – January 08, 2026
I came across a "new" feature in SPF records today called macros. It is an interesting idea that hasn't gained widespread adoption, but something I need to think about if it is useful for any of my customers. It is one way around the 10 lookup limit that is easy to hit if you use a bunch of 3rd party mailing services, each which require their own SPF record (and sometimes have quite extensive include statements within each record).
One problem with them is that the typical SPF checkers (even those that accept an IP address as well) don't actually lookup the macro, but are basically just testing for syntax, and ignore the macros entirely, so testing the macro can be more difficult.
I have a customer that complained they have an email from a particular vendor that ends up in their spam folder due to a misconfiguration on the sender's end. We added a whitewlecomelist (I hadn't ever thought about it, but kind of crazy that white and black lists existed for so long...) rule for this sender, so SpamAssassin won't filter out this sender any more, and I wrote up a technical email for them to forward to the vendor, and I thought I should include it here, since some of the information about SPF macro records isn't great.
Could you please give me a sentence or two in technical terms that I can send to senior IT leadership at CCAC about how their mail server is misconfigured?
It appears that they are actively working on it, as instead of getting an SPF fail that my mail server got when that email was first received on Monday, it now has an SPF record that includes an SPF macro to TouchNet/ValiEmail, and the ValiEmail DNS isn't configured correctly, so causes a TEMPERROR:spf: query for bursar@ccac.edu/198.187.196.100/tufmon.touchnet.com: result: temperror, comment: , text: 'SERVFAIL' error on DNS 'TXT' lookup of '198.187.196.100._ip.tufmon.touchnet.com._ehlo._spf2.ccac.edu._spf.vali.email'
spamd: rules: ran eval rule T_SPF_TEMPERROR ======> got hit (1)
They are using TouchNet, and presumably vali.email, so probably need to configure their account on vali.email to make that record work.
Though one thing that is interesting to me is that it is using _spf2.ccac.edu as the %{d} part, presumably because it is included from _spf2.ccac.edu, so that might need to be changed to %{o}or else include the vali.email from the root spf record and not from spf2.However, I also tested 198.187.196.100._ip.tufmon.touchnet.com._ehlo.ccac.edu._spf.vali.email and that also failed, so that isn't the easy fix.
Here is a checker that appears to test the SPF macro (it could be improved by asking for the IP), and you can see the failure there.