SPF record doesn't work (not sure which DNS server to tweak)
Posted
by
Ion
on Server Fault
See other posts from Server Fault
or by Ion
Published on 2013-10-23T08:31:32Z
Indexed on
2013/10/23
10:00 UTC
Read the original article
Hit count: 240
Problem: Google (and perhaps others) marks our emails as SPF neutral.
Let me give you some background about the setup: initially got a dedicated server (Hetzner) with Plesk installed to host a domain/web application, let's say: bigjaws.com. Plesk automatically creates a DNS zone for it with some records for the various services it provides out of the box, e.g. webmail.bigjaws.com as a CNAME to bigjaws.com to provide Horde/whatever, etc.
Let me point out four relevant of these records (where XXX.XXX.XXX.158 is our dedicated IP):
bigjaws.com. A XXX.XXX.XXX.158
mail.bigjaws.com. A XXX.XXX.XXX.158
bigjaws.com MX (10) mail.bigjaws.com.
bigjaws.com. TXT v=spf1 +a +mx -all
The above records are not(?) valid anymore though, because after using this dedicated server for a while, our site got bigger and bigger so we decided to move our operations over to AWS (EC2, RDS, ELB, etc), but we retained the mail functionality as is, i.e. emails from [email protected] are sent by connecting to our dedicated server where Plesk takes care of things. This was decided in order not to setup anything from scratch. Of course for all DNS-related things we now use Route53.
In Route53 I have the following records:
mail.schoox.com. A XXX.XXX.XXX.158
bigjaws.com. MX (10) mail.bigjaws.com
bigjaws.com. SPF "v=spf1 +ip4:XXX.XXX.XXX.158 +mx ~all"
From my understanding of SPF, the SPF status should have been passed: I designate that all email being sent by bigjaws.com from XXX.XXX.XXX.158 are valid/not spam (I added +mx there but I'm not sure if needed). When a mail server receives an email, doesn't it lookup the SPF record of the domain and checks against the IP it got the email from?
Checking with spfquery:
root@box:~# spfquery -ip XXX.XXX.XXX.158 -sender [email protected] -rcpt-to [email protected]
StartError
Context: Failed to query MAIL-FROM
ErrorCode: (2) Could not find a valid SPF record
Error: No DNS data for 'bigjaws.com'.
EndError
noneneutral
Please see http://www.openspf.org/Why?id=employee1%40bigjaws.com&ip=XXX.XXX.XXX.158&receiver=spfquery : Reason: default
spfquery: XXX.XXX.XXX.158 is neither permitted nor denied by domain of bigjaws.com
Received-SPF: neutral (spfquery: XXX.XXX.XXX.158 is neither permitted nor denied by domain of bigjaws.com) client-ip=XXX.XXX.XXX.158; [email protected];
If I go to the address listed above (openspf.org) it tells me that the message should have been accepted(!):
spfquery rejected a message that claimed an envelope sender address of [email protected].
spfquery received a message from static.158.XXX.XXX.XXX.clients.your-server.de (XXX.XXX.XXX.158) that claimed an envelope sender address of [email protected].
The domain bigjaws.com has authorized static.158.XXX.XXX.XXX.clients.your-server.de (XXX.XXX.XXX.158) to send mail on its behalf, so the message should have been accepted. It is impossible for us to say why it was rejected.
What should I do?
If the problem persists, contact the bigjaws.com postmaster.
Also, here are some headers from an email sent by one of our [email protected] addresses to a gmail.com address (by the way, bigjaws.de listed in the "Received: from" field was the initial domain hosted on the dedicated server before adding the .com one -- both are still listed as separate subscriptions under Plesk).
Delivered-To: [email protected]
Received: by 10.14.177.70 with SMTP id c46csp289656eem;
Wed, 23 Oct 2013 01:11:00 -0700 (PDT)
X-Received: by 10.14.102.66 with SMTP id c42mr306186eeg.47.1382515860386;
Wed, 23 Oct 2013 01:11:00 -0700 (PDT)
Return-Path: <[email protected]>
Received: from bigjaws.de (static.158.XXX.XXX.XXX.clients.your-server.de. [XXX.XXX.XXX.158])
by mx.google.com with ESMTPS id l4si19438578eew.161.2013.10.23.01.10.59
for <[email protected]>
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Wed, 23 Oct 2013 01:10:59 -0700 (PDT)
Received-SPF: neutral (google.com: XXX.XXX.XXX.158 is neither permitted nor denied by best guess record for domain of [email protected]) client-ip=XXX.XXX.XXX.158;
Authentication-Results: mx.google.com;
spf=neutral (google.com: XXX.XXX.XXX.158 is neither permitted nor denied by best guess record for domain of [email protected]) [email protected]
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=default; d=bigjaws.com;
b=WwRAS0WKjp9lO17iMluYPXOHzqRcOueiQT4rPdvy3WFf0QzoXiy6rLfxU/Ra53jL1vlPbwlLNa5gjoJBi7ZwKfUcvs3s02hJI7b3ozl0fEgJtTPKoCfnwl4bLPbtXNFu;
h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:Content-Transfer-Encoding;
Received: (qmail 22722 invoked from network); 23 Oct 2013 10:10:59 +0200
Received: from hostname.static.ISP.com (HELO ?192.168.1.60?) (YYY.YYY.ISP.IP)
by static.158.XXX.XXX.XXX.clients.your-server.de. with ESMTPSA (DHE-RSA-AES256-SHA encrypted, authenticated); 23 Oct 2013 10:10:59 +0200
Message-ID: <[email protected]>
Date: Wed, 23 Oct 2013 11:11:00 +0300
From: BigJaws Employee <[email protected]>
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.0.1
MIME-Version: 1.0
To: [email protected]
Subject: test SPF
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
test SPF
Any ideas why SPF is not working correctly?
Also, are there any DNS settings that are not needed anymore and create a problem?
© Server Fault or respective owner
