Why are ESPs recommending incorrect SPF record configurations?

Email marketer from Stack Overflow explains that some shared hosting providers recommend customers include the hosting provider's domain in their SPF record, but this can potentially allow malicious emails to be sent from that shared host, and make them seem valid.

Email marketer from MailerCheck suggests that some ESPs may recommend technically incorrect SPF configurations due to laziness, or not wanting to fully invest the time to provide customers with the correct instructions.

Email marketer from Quora responds that small businesses often lack the technical expertise to understand complex SPF configurations, so ESPs might offer simplified instructions that are not entirely accurate but easier to implement, which are designed to make it easier for them to get started.

Email marketer from EmailDrip shares that some ESPs oversimplify setup instructions for users who are not tech-savvy, leading to technically incorrect but easier-to-implement SPF configurations. This is often done to reduce support requests and onboarding friction.

Email marketer from Reddit mentions that many older tutorials and documentation still circulate online, recommending outdated or incorrect SPF configurations. ESPs may not always update their resources promptly, causing confusion.

Email marketer from forumgroup.org explains that some companies will not want to re-do their documentation, as this takes too much time for them to do, and they are not overly fussed about the SPF accuracy.

Email marketer from email-uncovered responds that if the client has more than one mail provider, it can be difficult to understand which one should be used, so it could be a misunderstanding for the person involved to not add the correct one.

Email marketer from growwithval.com explains that one reason might be legacy practices and outdated documentation that haven't been updated to reflect current best practices for SPF records. They might also simplify instructions for easier comprehension, even if it sacrifices accuracy.

Marketer from Email Geeks shares that the harm in adding unnecessary SPF records is that they clutter the organizational domain’s SPF record, potentially exceeding the 10 DNS lookup limit and requiring convincing clients that SPF isn’t needed in the organizational domain.

Marketer from Email Geeks shares that many ESPs recommend putting the SPF record in the organizational domain, which is incorrect and leads to deprecated, DNS overhead-heavy SPF records.

Email marketer from linkedin.com explains that sometimes a client will have more than one mail provider to add to their SPF record, and that by doing so, this can add too many lookups to your SPF record, thus making it not work as expected.

Expert from Email Geeks shares an example where an ESP instructs users to add include:email.influitive.com to their SPF record or use a specific IP address, warning about SPF lookup limits.

Expert from Email Geeks explains that incorrect SPF configurations lead to companies not publishing SPF records for their 5321.from addresses and exceeding the 10 DNS lookup limit.

Expert from Email Geeks provides examples of ESP documentation recommending incorrect SPF record configurations, including using include:amazonses.com and include:servers.mcsv.net.

Expert from Email Geeks expresses dismay at the frequency with which email sending companies incorrectly configure SPF records for their customers, particularly concerning the 5322.from address.

Expert from Spam Resource explains that SPF has deployment problems. Although, the basic idea of SPF is simple it gets very complicated once you start doing it. The initial SPF drafts didn't include a lookup limit, but in real email flows, people use too many lookups which break the deliverability.

Expert from Email Geeks explains that some ESPs incorrectly instruct customers to include their domain in the SPF record, which is invalid.

Expert from Email Geeks highlights ESPs that set up subdomains on the 5322.from but instruct customers to publish an include: in their 5321.from domain, which is not valid SPF.

Documentation from datatracker.ietf.org explains that the RFC 7208 specifies a limit of 10 DNS lookups for SPF records. Incorrect configurations often lead to exceeding this limit, which can cause SPF checks to fail.

Documentation from Google shares the importance of making sure you are using the correct domain for your mail sending in your SPF record, and if you fail to do this your mail is less likely to get delivered, as Google and other providers will correctly mark the email as spam or a threat.

Documentation from dmarcian.com shares that the scope of SPF applies only to the domain in the `MAIL FROM` address (5321.MailFrom), not the `From:` header address. ESP recommendations that blur this distinction can lead to misconfigurations.

Documentation from Microsoft explains that improper syntax in SPF records can cause authentication failures. ESPs providing incorrect examples might lead users to create invalid records, negatively impacting deliverability.

Documentation from AuthSMTP shares that you should validate your SPF record once you have created it, as this is the best way to ensure that it is setup correctly. If it is not setup correctly this could allow hackers to attempt phishing scams from your domain, and for them to be more successful.

Documentation from EasyDMARC shares that SPF records using `include` mechanisms can lead to multiple nested DNS lookups. If an ESP recommends adding their `include` statement without considering existing lookups, it can cause the SPF record to exceed the limit.