Received-SPF: neutral

Question

When I send emails from my application I am getting a spf neutral error. I have been working with Google and my hosting company, but none of them can figure it out. Below is my spf record.

"v=spf1 include:s920.tmd.cloud include:mx1.tmdhosting.com include:mx2.tmdhosting.com ip4:184.154.73.81 ip4:108.178.0.170 ip4:198.143.161.162 ip4: include:_spf.google.com ~all"

Below is a snip of the email meta data.

    ARC-Authentication-Results: i=1; mx.google.com;
       dkim=temperror (no key for signature) header.i=@holyfirepublishing.com header.s=default header.b=HRuHEiL6;
       spf=neutral (google.com: 108.178.0.170 is neither permitted nor denied by best guess record for domain of publisher@holyfirepublishing.com) smtp.mailfrom=publisher@holyfirepublishing.com
Return-Path: <publisher@holyfirepublishing.com>
Received: from mx1.tmdhosting.com (mx1.tmdhosting.com. [108.178.0.170])
        by mx.google.com with ESMTPS id b67-v6si3713737ioj.9.2018.04.28.17.31.24
        for <test@holyfirepublishing.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sat, 28 Apr 2018 17:31:24 -0700 (PDT)
Received-SPF: neutral (google.com: 108.178.0.170 is neither permitted nor denied by best guess record for domain of publisher@holyfirepublishing.com) client-ip=108.178.0.170;
Authentication-Results: mx.google.com;
       dkim=temperror (no key for signature) header.i=@holyfirepublishing.com header.s=default header.b=HRuHEiL6;
       spf=neutral (google.com: 108.178.0.170 is neither permitted nor denied by best guess record for domain of publisher@holyfirepublishing.com) smtp.mailfrom=publisher@holyfirepublishing.com
Received: from [184.154.73.81] (helo=s920.tmd.cloud) by mx1.tmdhosting.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from <publisher@holyfirepublishing.com>) id 1fCaFP-0005U5-6t for test@holyfirepublishing.com; Sat, 28 Apr 2018 19:31:24 -0500

I can really use some help building my spf record.

Thanks in advance.

Answer 1

Your domain doesn't actually have an SPF record. I don't know where you put it, but neither I nor Google can find it.

$ host -t txt holyfirepublishing.com
holyfirepublishing.com has no TXT record

Once you actually create an SPF record correctly, other mail servers should begin using it.

Answer 2

Include records must also be spf txt records. If that is not your intent you can use mx if these are your MX records or a:host.exanple.com to permit the IPv4 address of host.example.com

Be mindful of the 10 DNS record limit. mx counts as one, regardless of the number of MX records.

These are all invalid:

include:s920.tmd.cloud include:mx1.tmdhosting.com include:mx2.tmdhosting.com

Answer 3

Your IN SPF "v=spf1 include:s920.tmd.cloud include:mx1.tmdhosting.com include:mx2.tmdhosting.com ip4:184.154.73.81 ip4:108.178.0.170 ip4:198.143.161.162 ip4: include:_spf.google.com ~all" has several problems.

• Use TXT instead of SPF (RFC 7208, 3.1).
• In general, you should avoid multiple includes as there is a maximum amount of DNS queries per SPF check. For the same reason, direct ip4 and ip6 directives are always the best.
• Here, you have includes that doesn't contain SPF records. They should probably use a mechanism, instead. Only "include" existing SPF records.
• You should list a server only once, preferably using ip4. As s920.tmd.cloud A 184.154.73.81, mx1.tmdhosting.com A 108.178.0.170 & mx2.tmdhosting.com A 198.143.161.162, the a mechanisms from the previous can be removed.
• The empty ip4: is a syntax error.
• While + for Pass is the default qualifier, I find it easier for beginners to use it to avoid confusion with the exists/include mechanisms and redirect/exp modifiers that doesn't have qualifiers.

We can assume you have the rest as you desire:

• The results suggests that at least the MX 108.178.0.170 is used for outgoing mail, so probably the three IP addresses are ok.
• The last include allows Gmail. Let's just assume you are using it for this domain.
• ~all soft fail for rest. I agree that you shouldn't use (hard) fail before you have more experience with SPF and can be sure it won't cause any problems.

Result:

IN TXT "v=spf1 +ip4:184.154.73.81 +ip4:108.178.0.170 +ip4:198.143.161.162 include:_spf.google.com ~all"