NEUTRAL SPF validation when sending from only one of my verified domains


We have a system sending emails for lots of our clients. Eveyone of them is verified using the same process where we create a domain into AWS SES and with our clients, we create approriates DNS entries into their DNS system. (TXT record for verification, CNAMEs for DKIM signatures and MX + TXT records for MAIL FROM custom domain). After everything is verified, we activate the "send email" feature.

We encountered a situation where only one of our clients is getting a NEUTRAL SPF validation. I can repro easily using the "Send Test Email" button from the AWS portal for that particular domain where all other domains (70+) always gets full validation.

Can you help out finding whats wrong?
The client successfully created into his DNS the appropriate MX and TXT records for the custom MAILFROM having the TXT record value to "v=spf1 ~all". Checked with Powershell Resolve-DNSName -Name -Type TXT

After sending to a GMail address and looking at "Original message" or header, we can see the following:
Received-SPF: neutral ( is neither permitted nor denied by best guess record for domain of client-ip=;

Is that particular IP not considered as being

asked 4 years ago34 views
2 Answers
Accepted Answer


I was able to reproduce the same way you have your configuration. In order to resolve this, please correct the TXT record for the custom mail from.

Currently it is =>
$ dig TXT +short
""v=spf1 ~all""

Please change that (in the value in your dns settings) =>
"v=spf1 ~all"

The TXT records for other custom mail from are set in the same manner. For example:
$ dig TXT +short
"v=spf1 ~all"

Please wait for the change to propagate and test it. This should fix the issue.

Gaurav @ AWS

answered 4 years ago

Hi Gaurav,
Thanks for your reply and sorry for replying that late but i seem to have missed the email notification when you replied. Just discovered you had answered me!

According to my issue, i want to make sure i understand the right usage of the "quote" character.
In the AWS console, when you generate entries for TXT domain validation, DKIM Cnames and MX records, you do not use any "quotes" characters around the value you generate except for the TXT record for the SPF entry where you actually include the "quote" into the following value
=> "v=spf1 ~all"

When i ask my customer to add those entries into his DNS for validation, shall i ask them to NOT include the "quotes" or should they? My probleme seems to happen when the customers includes the quotes when entering the value into his DNS. If so, why do you include the quotes only into this entry into the AWS console?

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions