My DNS provider works perfectly for A records.
I am having great difficulty understanding the syntax of SPF records. I have no prior experience.
The DNS provider supports SPF records and it has two control boxes for information: 'Name' and 'SPF data'.
The A record which functions fine looks like this:
Name: potsandpins.info
IPV4 Address: 45.61.228.207
The SPF record which is giving me no joy looks like this:
Name: potsandpins.info
SPF Data: "v=spf1 a -all" (including the quotation marks)
My emails are received with a red flag in Gmail which says 'Gmail couldn't verify that potsandpins.info actually sent this message'.
Can anyone suggest anything as I've tried all sensible permutations?
You don't seem to currently have an SPF record for potsandpins.info maybe you deleted it because you ran into trouble. Anyway, think of the SPF as a whitelist of any IP addresses or hosts you've given permission to send email on your behalf.
The name would be either the root domain, sometimes designated by the #, or a hostname, foo, which you'd use if you were sending email out as example#foo.example.com.
The SPF data would be the version number (v=spf1), then mechanisms (e.g., a), and then the ip addresses or hosts you'd like to authorize, then the qualifier such as -ALL, which intends a hard fail. You may want to back off from that using ~ALL for now, which intends a softfail. I think it's better to be specific in SPF records as then they're easier to follow exactly what they're authorizing.
Here's an example SPF record. Let's say you wanted to authorize 192.0.2.10 and Google.
v=spf1 ip4:192.0.2.10 include:_spf.google.com ~all
Let's say you wanted to authorize a range of IP addresses and MailChimp:
v=spf1 ip4:192.0.2.0/24 include:servers.mcsv.net ~all
Here's a good article on common mistakes in SPF records.
Then it's important to validate your SPF record using a tool such as the SPF Survey. I like this tool because it gives more detailed, actionable error messages when there's a problem.
if you post the full headers of an example email and indicate any other services you use to send email, then it would be possible to provide more specific advice. For future reference, it's best to provide more details when you post to Stack Overflow as that makes it easier to help. I tried in this post but the information you provided limited how specific the answer could be.
Also, for future reference, it's best to post using example.com rather than a real domain name and use IP addresses from an IPv4 block reserved for documentation.
The blocks 192.0.2.0/24 (TEST-NET-1), 198.51.100.0/24 (TEST-NET-2),
and 203.0.113.0/24 (TEST-NET-3) are provided for use in documentation.
Anyway, I hope this helps.
Related
Like many others, I have navigated the SPF/DKIM/DMARC world with some confusion.
About 4 weeks ago or so I finished setting everything (SPF/DKIM/DMARC) up correctly for a GoDaddy-hosted domain that uses Google's mailservers.
I set the _dmarc TXT record to take zero action with p=none and I used Postmark to monitor the results to see what was passing and failing over a week.
After a week or so I looked at the Postmark results and inserted the include: statements for the domains that I wanted to pass, but weren't. Then I waited another week to see the results. However, the results showed that the domains still weren't passing SPF or DKIM. Below is the SPF record, I've redacted parts of it that are revealing, but two of the domains are legit and still aren't passing.
v=spf1 include:_spf.google.com include:freshemail.io include:cherryroad.com ~all
Do I need to use the actual IP addresses in the include statements instead of the domains? Postmark lists these as well so that would be easy if so.
No, you shouldn't copy their IPs in there because they are subject to change, especially Google's.
If it's failing, presumably you have some results (usually in message headers) that tell you exactly which IP is failing, and you can track it down manually though those includes, do a reverse lookup on it, etc.
However, you're also using GoDaddy, which is mostly guaranteed not to work as they either block outbound SMTP or route it through their own servers, so you're very unlikely to get an SPF pass.
The issue was with SPF DNS lookup limits. I had no idea this was a thing and I'm amazed that this isn't mentioned anywhere on the documentation (whether that's Google's official documentation or otherwise) on setting up SPF/DKIM/DMARC, and didn't come up in Googling of this issue. This limit is designed to prevent denial of service attacks and infinite DNS loops.
For anyone else who sees this post
v=spf1 include:_spf.google.com include:freshemail.io include:cherryroad.com ~all
This SPF record actually has almost 15 DNS lookups, and the limit is 10 per domain. You can find out how many SPF DNS lookups your domain has with a service like AutoSPF or Easy DMARC
The solution, once you see your total DNS lookups, comes in four options:
Create subdomains and use those to diversify the records. For example using "email#business.mydomain.com" as the email for freshemail.io. Then on the SPF record for that subdomain, you would only have v=spf1 include:freshemail.io resulting in less than 10 DNS lookups for that domain.
As #Synchro mentioned, you don't want to use IPs because those can very well change, but the concept of using IPs instead of the domain names does essentially work because an IP address doesn't cost a DNS lookup. Check with the support/engineering of whatever service you're using, it's possible that they have an IP (or an IP range) that doesn't change often. You might be able to bring your DNS lookups under ten using this.
Note that Google takes up about 3 DNS Lookups, and you'll probably want to leave that one as the _spf.google.com value
Note that every SPF record also has a 255 character limit, so if you're using only IPs you'll need to break that up into a lot of SPF records probably
Use an SPF flattening or compressing service like AutoSPF. Essentially, these services employ method #2, but do some backend work every few hours to check and update the IP addresses associated with the domains. Then they provide you with a "compressed" record like v=spf1 include:_6359384.autospf.com ~all that references all of your records and results in far fewer DNS lookups.
Create your own method that acts kind of like #2 and #3, using GoDaddy's API and brew up something that performs updated lookups on a schedule/job and updates separate SPF records including all of the IPs.
I'm experiencing a deliverability problem according to the MXToolBox email deliverability tool:
SPF Authentication SPF Failed for IP - 169.179.203.116
Current SPF record on my domain is:
v=spf1 +mx +a +ip4:116.203.179.169 ~all
Please guide me to resolve this problem.
Thanks
I assume that the 169.179.203.116 address is one that is known to you.
A better SPF record that will result in a pass for that IP:
v=spf1 ip4:169.179.203.116 ip4:116.203.179.169 a mx ~all
It's good practice to put literal IPs first as mechanisms are evaluated left to right, and literal IPs do not require DNS lookups, so are the fastest for receivers to check.
Generally, you need to be sure that the IPs you are sending from are listed, or covered by some other mechanism (e.g. by using an include from an email service provider).
So I'm using mail-tester.com, which is great, except now I'm royally confused. The first time I ran a test, here's what it said (in the SPF section, where the problem is that: You are not allowed to use one of your sender email addresses)
What we retained as your current SPF record is:
v=spf1 a mx ~all
It should be changed to:
v=spf1 a mx ip4:some-ip-address ~all
Need guidance? Visit the guide for cloudflare.
When I clicked the link to the guide for CloudFlare, it literally said my new TXT record should be v=spf1 a mx ~all, which basically contradicted the previous page. So... perhaps the initial diagnostics page was specific guidance while the guide for CloudFlare was just general guidance, on where to put the record? Anyway, so I didn't have a TXT record with v=spf1 a mx ~all in CloudFlare (unusual again given the previous page said it had retained a SPF record as such), so I added it. It didn't do anything to fix my score.
So what I thought then was, OK let's follow the diagnostic's page's specific guidance and add the IP address. The next time I ran a test, I got:
What we retained as your current SPF record is:
v=spf1 a mx ip4:some-ip-address ~all
It should be changed to:
v=spf1 a mx ip4:some-ip-address ip4:different-ip-address ~all
Need guidance? Visit the guide for cloudflare.
And... you guessed it, following these instructions continually just gets me to a never ending cycle of new ip addresses being added to the record, but nothing actually changing my score. Like, now I'm at:
What we retained as your current SPF record is:
v=spf1 a mx ip4:some-ip-address ip4:different-ip-address ~all
It should be changed to:
v=spf1 a mx ip4:some-ip-address ip4:different-ip-address ip4:another-ip-address ~all
Need guidance? Visit the guide for cloudflare.
Has anyone else had experience with this? If you can't tell, I'm a total noob to SPF and have no idea how to fix this honestly. For context, My domain and mail are managed by Gandi, but redirected through CloudFlare, so CloudFlare is where my DNS records are actually kept.
When you say this:
v=spf1 a mx ~all
It says that the IP that resolves from your domain's A record, and any of the IPs designated as mail exchangers for your domain will receive an SPF pass status, and everything else will receive a softfail.
So, when you're getting that error, it means you're sending from somewhere that is not covered by that list of permitted sources, and so it's suggesting you add the sending IP to your record to allow it.
If you are sending from somewhere like gmail with a large pool of mail servers, the source address will change frequently, which would explain why it suggests a different IP each time.
There are two solutions to this:
Don't send using the external service and really send only from the IPs that you designate explicitly (i.e. that are covered by your a and mx options).
Use an SPF include directive to allow sending from a source that uses dynamic sending IPs.
In this latter case you would make your record something like:
v=spf1 a mx include:_spf.google.com ~all
While you say you're using cloudflare and gandi, you don't say where you're actually sending email from - if you're not using gmail then include the SPF from whichever other service you are using.
Update. Given an actual source IP of 217.70.183.200, we can see what's happening. Whois tells us that that IP belongs to gandi.net, and a lookup for gandi.net's SPF record returns this:
v=spf1 ip4:217.70.176.0/21 ip4:217.70.186.186/32 ip4:217.70.186.187/32 ip6:2001:4b98:c::/48 ip6:2001:4b98:dc2:43:216:3eff:fe69:f13/128 ip4:217.70.186.186/32 ip6:2001:4b98:dc2:90:217:70:186:186/128 ptr ?all
The first address range listed in there (ip4:217.70.176.0/21) covers the 217.70.183.200 address, so I suggest you set your SPF to this, which should solve your problem (and is exactly what I said in option 2 above):
v=spf1 a mx include:gandi.net include:_spf.google.com ~all
I have been reading this page on setting up SPF for my domain sending email through Amazon SES to my subscribers.
http://docs.aws.amazon.com/ses/latest/DeveloperGuide/spf.html
I have added the SPF as suggested :
"spf2.0/pra include:amazonses.com -all"
Afterwards it notes the following:
If you use "-all" as shown in the example above, ISPs may block email from IP addresses that are not listed in your Sender ID record. You therefore must add a record for every IP address that you send email from. As a debugging aid, you can use "~all" instead. When you use "~all", ISPs will typically accept email from IP addresses that are not listed. However, they may flag it. To maximize deliverability, use "-all" and add a record for each IP address.
All of my email is sent from my server for which I know the IP address. As such I want to setup a record for my servers IP - I am simply a little confused as to what I need to be using. Is it simply another record as follows:
"spf2.0/pra include:127.0.0.1 -all"
where 127.0.0.1 is replaced with my servers IP?
I have had a look at the openspf website with little success - a basic idea of what the correct record is would be great.
Thanks !
spf2.0/pra is SenderID syntax. While similar in name to SPF proper, they are different protocols. For an explanation of the differences and the controversy surrounding SPF vs. SenderID, check here.
for the SPF record syntax, check here. The most simple way to add your server to the record is as follows: "v=spf1 ip:xxx.xxx.xxx.xxx include:amazonses.com -all", where xxx.xxx.xxx.xxx should be replaced by your server's IP. Another option, if the A or MX record for your domain points to your mailserver's IP is: "v=spf1 a include:amazonses.com -all" or "v=spf1 mx include:amazonses.com -all". It's also allowed to add them all at the same time.
THE SITUATION:
I have ONE e-mail account per domain.
I use e-mails such as [some-alias]#[one-of-my-domains-name]. (server: mail.[mydomain]:[secure port]
My registrar (OVH) is different from my web host (Arvixe).
My hosting plan is a mutualised .NET hosting.
When I want to reply with one of my aliases, I use Mozilla Thunderbird 'Identities'. (Login = concrete domain mail account, FROM: 'the alias e-mail'.)
(And yes, this is very efficient to avoid getting spams and unwanted mailing lists.)
THE PROBLEM:
For some recipient using some spam protection services, I constantly get the error:
Remote server replied: 550 Blocked by SPF ()
HINTS/QUESTIONS AND IDEAS IN SEARCH FOR A SOLUTION
a friend said I have to configure the TXT spf record of my domain.
using different webmaster tools sites to get DIG info, I never get infos about the 'TXT' record. So I'm not sure: Should I edit this record on the side of my domain registrar or in the side of the hosting ?
Current on my registrar's side the record reads:
v=spf1 a:mail.[mydomain] include:mx.ovh.com ~all
and on my hosting's side it reads:
v=spf1 a:mail.[mydomain] ~all
THE BIG QUESTION:
How can I solve this ?
Thank you for your help
Your SPF record is a statement that the IP(s) sending the email are authorised to send email for your domain. In your case I am assuming you're actually sending through the Arvixe servers. The records should be set in the TXT record for your domain at the registrar (ovh).
So in this case you need at your registrar (ovh) to edit the TXT record for SPF to read:
v=spf1 mx a:mail.[yourdomain] include:spf.arvixe.com -all
Note: The modifiers on 'all' vary - +,-,~,? - and specify whether recipients should consider the tests conclusive and reject mail or not. There's a great (very thorough) howto on SPF here: http://www.zytrax.com/books/dns/ch9/spf.html
What is a bit unusual is that the recipients are rejecting what should be an inconclusive SPF record (e.g. default = accept). One of the core problems with email is that there will always be edge cases where recipient servers exhibit odd behaviour - I hope this helps in this case.
Solution found:
- I actually had to set the SPF or TXT (I set both at the same value) record on the hosting's side.
- I used check-auth#verifier.port25.com , which a mail service to checking if your e-mails are passing some anti-spam filter.
- The reply given by check-auth#verifier.port25.com made me understand the Source IP/HELO hostname were not mail.[mydomain] but [myhostingserversubdomain].arvixe.com here what my SPF and TXP spf records look like:
v=spf1 mx ptr:[thesubdomain].arvixe.com -all
(I think 'mx' is really not necessary in my case.)
EDIT : Slight improvement:
v=spf1 ip4:[[thesubdomain].arvixe.com IP] ptr:[thesubdomain].arvixe.com -all
mx removed since in my case the mx servers have nothing to do with it.
"ptr" requires DNS lookup, so I added the direct IP. I left "ptr" in case the IP changes (since it's managed by my host).