5

I cannot seem to get a SPF record working for a client of ours, Google mail keeps failing on the lookup.

My SPF record is

v=spf1 a ip4:80.74.254.215 include:mx1.helloevery1.co.uk include:_spf.google.com include:smtproutes.com include:smtpout.com

The clients main mail server are

smtproutes.com and smtpout.com

These are working fine, SPF passes as expected.

mx1.helloevery1.co.uk is our mail server. It is a simple ISPConfig Postfix setup. We send all mail through 1 account, let's say that is "noreply@example.com".

There is a username and password set up to send through but we change the "from" address in our application. The from address is "enquiry@clientdomain.com".

"enquiry@clientdomain.com" is not set up on mx1.helloevery1.co.uk. It is only on the client servers.

When I send through my SMTP server from the site, I am receiving the following error when I send to my email account.

Received-SPF: permerror (google.com: permanent error in processing during lookup of enquiry@clientdomain.com) client-ip=212.71.234.103;

Authentication-Results: mx.google.com; spf=permerror (google.com: permanent error in processing during lookup of enquiry@clientdomain.com) smtp.mail=enquiry@clientdomain.com

This looks like it is trying to lookup the domain on my SMTP server (where is not is configured). If I were to set up the domain on my SMTP server and create an account then when I send through my SMTP server then it will try to deliver it locally.

I've always assumed that SPF was just a verification tool to say which server is allowed to send but never really took into account the email it is coming from.

I'm stuck as I can't find a resource on SPF record creation that I can relate to

Chris Lomax
  • 173

4 Answers4

2

An SPF record states which mailservers are allowed to send mail from the sending domain. Basicly, what is in the from: address.

So if you have someone sending mail as "ninja@ninja.com" and the receiving mailserver checks SPF, it looks for an SPF record on "ninja.com" to see if the sending mailserver is listed.

Does this answer your question ?

Mwuanno
  • 89
2

The reason for Google's PermError is that the domain mx1.helloevery1.co.uk, contained in your SPF include: directive, has no SPF record configured of its own. This issue is treated here:

include:<domain> : The specified domain is searched for a match. […] Warning: If the domain does not have a valid SPF record, the result is a permanent error. Some mail receivers will reject based on a PermError.

As you found out, using the ip4: ip6: mechanisms helps (use both, as you don't know what IP Google sees of the sending host, so it may fail if you only use ip4:). To provide some resilience against IP address changes, you can allow a range of IP addresses (instructions).

However, if you have access to the DNS of the include:-ed domain, it is a cleaner solution to configure a SPF record for it too, such that your sender's IP address passes that SPF test. It makes your other SPF record resilient against IP address changes.

tanius
  • 708
1

At the advice of Mwuanno I changed my records to be ip4 and ip6 based and it started accepting the spf record. The record now reads

v=spf1 a ip4:80.74.254.215 ip4:212.71.234.103 ip6:2a01:7e00::f03c:91ff:fedb:4ec8 include:smtproutes.com include:smtpout.com ~all

This seemed to work for me and SPF passes

Chris Lomax
  • 173
0

The reason the SPF record with the ~all parameter at the end probably worked is not necessarily because of the inclusion of both IP4 and IP6 Addresses but because of the ~all parameter.

~all is a Soft Fail: All mail servers not listed in the SPF record are not authorized to send mail using the sender’s domain, but the owner of the domain is unwilling to make a strong assertion to that effect. So in other words the SPF check will not necessarily fail and the receiving server may accept the email message.

Jim
  • 1