SPF record for an mail server - email

I use a different server to send mail to my mailing list. I want to add an SPF record to my domain to show that the IP of the different server is authorized to send mail (as well as the default server).
The server sending email in the example is 1.2.3.4 with the main domain of test.co.uk.
So far I have v=spf1 mx a ip4:1.2.3.4/32 mx:test.co.uk ?all", would this work for what I want?
EDIT:
I would be sending mail using sendmail. The SPF record would be to increase % of mail going to inbox and also so we can enforce -all in the near future on SPF.

Try using an online tool like http://www.mtgsy.net/dns/spfwizard.php to generate the SPF record. If you Google for "SPF Record checker", you will find many websites which will even validate the SPF record for your domain.

Let's assume your domain is test.co.uk. This makes mx the same as mx:test.co.uk. Specifying an IP as ip4:1.2.3.4 is the same as ip4:1.2.3.4/32.
That would be enough:
v=spf1 mx a ip4:1.2.3.4 ?all
Make sure you verify your SPF records using a SPF checker. Try the following one.
http://spf.myisp.ch
It does some pretty extensive testing.

Related

prevent emails from being flagged as SPAM - SPF configuration

Our business emails are often considered as spam.
We are using gandi.net mails at the moment and send emails from our own mail clients using gandi smtp servers.
I've checked a few websites to test our email adresses for spam. I got the following report on one of them:
It offers me to add some SPF configuration and sign the message with DKIM.
Regarding SPF, I am offered to add a SPF record using the source server (which is the gandi mail relay server relay3-d.mail.gandi.net).
Problem is, there are many mail relay servers, and whenever I send a mail, i get one of those as the source server. They seem to be on the same IP range:
So what am I supposed to do?
add a spf record for each relay server?
like
v=spf1 a mx ip4:217.70.183.195 ~all
or maybe I can use the hostname for more readability?
v=spf1 mx a:relay3-d.mail.gandi.net ~all
Am I supposed to add the IP Range 217.70.183.193-217.70.183.201 ?
(got the IPs belows from https://www.ipaddressguide.com/cidr#range )
v=spf1 a mx ip4:217.70.183.193/32 ~all
v=spf1 a mx ip4:217.70.183.194/31 ~all
v=spf1 a mx ip4:217.70.183.196/30 ~all
v=spf1 a mx ip4:217.70.183.200/31 ~all
I am a bit concerned about screwing up our DNS configuration while doing that so please advise! I made a few changes on the DNS configuration, then I got a SPF check error on one of those spam check tools online so I reverted everything until I get more feedback.
This is exactly the purpose of include directives in SPF. You have no way of knowing what their pool of mail servers is, and it may change frequently; Include means that maintaining that list remains gandi's problem, not yours.
Their SPF support page (why didn't you look there before asking here?) says you should add include:_mailcust.gandi.net, and that record covers some large IP ranges, including those you've mentioned.

Configuring SPF record for mail server

I want to configure SPF record for my website. Reason behind this is to use Google service i.e. Having your email in Google Now & all.
What I found from Google is:
Create a TXT record containing this text: v=spf1 include:_spf.google.com ~all
To authorize an additional mail server, add the server's IP address before just
before the ~all argument using the format ip4:address or ip6:address.
Please note I've still not added any SPF record till now to my server. So do I need to two separate records each for My server & Google?
So will it be something like below (ip address is my server's static ip address)?
v=spf1 include:_spf.google.com ip4:1.1.1.1 ~all
Assuming you're sending email directly from your website using an on-webserver SMTP server (not using Google or any other service) then that looks correct. You should only have a single SPF record per domain, and that record needs to include directives for all sources of email. So your suggested record looks right, although you probably want to put the ip4:1.1.1.1 before the include:_spf.google.com, since the former is cheaper to evaluate.
So you might want to make it:
v=spf1 ip4:1.1.1.1 include:_spf.google.com ~all

Mailgun messages from subdomain without MX record get rejected by some mail-providers

I'd like to use Mailgun to send e-mails from a web application, sending newsletters as well as transactional mails.
I set up a sudomain "subdomain.domain.tld" and configured the DNS as specified on the Mailgun panel, except for the (optional) MX record needed to recieve mail at that subdomain.
This is because the current hoster/domain-registrar doesn't allow setting an MX record for subdomains, just for the main domain.
Their support says something like 'We don't care about this, deal with it.'.
I don't want to configure the main domain for the use by Mailgun, as the client is recieving regular e-mail the main domain that is handled by other servers.
The current setup allows me to send mail using mailgun with the "From"-address "mail#domain.tld" to most major E-Mail providers including Gmail, Yahoo and Hotmail.
However the mails get rejected by some providers (e.g. mail.ru, freenet.de or arcor.de), with an error messages like the following:
<bounce+gibberish-user#=provider#subdomain.domain.tld>: Sender address rejected: Domain not found
Other providers have slightly different messages, but point to the same problem:
Domain of sender address [..] does not exist.
Unrouteable mail domain, verifying bounce failed
Unroutable sender address
It seems to me that the mails get rejected because of the missing MX record for subdomain.domain.tld , as used within the bounce address.
How do I solve this problem without moving the complete domain to another registrar that allows me to change MX records for subdomains?
I would really like to avoid this.
Is it possible to configure mailgun to use different bounce addresses that are actually valid independent of my MX records?
For example bounce-gibberish-mydomain-tld#mailgun.com instead of bounce-gibberish#mydomain.tld?
Three possible solutions, in order of preference:
Find a different DNS provider, that will allow you to put an MX on a subdomain. Note that this does not necessarily require you to change registrars.
Use your base domain with mailgun, perhaps utilizing their forwarding feature to send incoming mails to whoever hosts your mailboxes.
Use someone other than mailgun, that will allow the bounce address to be set to their domain instead of yours.
My setup:
root MX set up for gmail. Sends and receives as #mydomain.com
added mailgun and delivers as #mg.mydomain.com
getting bounces when doing mailgun sends to certain email providers (e.g. sbcglobal.net) because as mailgun said, don't add MX record if I already have another email service set up to use MX records.
My fix:
Contacted godaddy support. They told me I could add more MX records for my subdomain. Instead of MX # mxa.mailgun , it's MX mg mxa.mailgun
Hope this helps.
I ran into the same issue. In my case I'm using Office 365 for receiving emails and Mailgun to send emails. Here is my DNS config for my Mailgun subdomain mg.{name}.com which solved the problem:
email IN CNAME mailgun.org.
email.mg IN CNAME mailgun.org.
mg IN CNAME mailgun.org.
# IN MX 0 {name}-com.mail.protection.outlook.com.
# IN MX 10 mxb.mailgun.org.
# IN MX 10 mxa.mailgun.org.
# IN TXT "v=spf1 include:spf.protection.outlook.com include:mailgun.org ~all"
krs._domainkey.mg IN TXT "k=rsa; p={insert the value from mailgun here}"
One very important thing, is that you can't have two SPF lines in your config. I had to merge these two lines...
# IN TXT "v=spf1 include:spf.protection.outlook.com -all"
# IN TXT "v=spf1 include:mailgun.org ~all"
into one...
# IN TXT "v=spf1 include:spf.protection.outlook.com include:mailgun.org ~all"

Sending emails from my domain with SendGrid

I have a question that I guess is not just related to SendGrid.
Say, I own the mydomain.com domain, and I want to be able to send emails from, for example, team#mydomain.com.
Right now, when I go and manage my domain, I can see that I have added some MX record values added there. By doing this, I am able to send email using Gmail.
However, with Sendgrid I find this a little bit more confusing. I have read through the documentation, but I fail to see what should I do. I am using NameCheap, and all it comes to my mind is the following:
If I want to use Sendgrid to send emails from my application (Ruby on Rails), will I still be able to access my Gmail account and send emails using the same address (team#mydomain.com)? Is it compatible to have both (Gmail and Sendgrid) configuration in my domain?
Why don't I need to add any MX records for SendGrid?
First and foremost, the MX records for your domain are used only to specify the hostnames of the servers to handle INCOMING mail for your domain - i.e. the MX records have nothing to do with the servers that are used to send outgoing mail. You can use both Gmail's outgoing mail servers and Sendgrid's outgoing mail servers (and any other outgoing SMTP servers for that matter) to send outgoing mail for you domain. The only caveat to this is if you have an SPF record setup for your domain, but you didn't mention one so I won't elaborate.
MX records, as stated previously, are for specifying a server that handles INCOMING emails. You can use Sendgrid to send outgoing emails together with an email account service like Gmail. With Gmail, you would both send and receive emails. With Sendgrid, you would only send emails.
the MX records for the domain would be specified as those for Gmail/Google. The trick is in correctly configuring the SPF records, which is a TXT type record in the domain name. In the SPF record, you would include both Gmail/Google info as well as Sendgrid info on the same line.
So, say you only used Gmail for sending and receiving email, your SPF record would look something like this:
v=spf1 include:_spf.google.com ~all
However, if you add another server from another service, say Sendgrid, in order to also send verified emails for that domain, the SPF would be altered to something like this:
v=spf1 include:_spf.google.com include:u826348.wl.sendgrid.net -all
In both of these examples, only the GMail/Google MX records would be added to the DNS records.

PermError SPF Permanent Error: Too many DNS lookup

I have SPF and TXT record configured. When i check the SPF record syntax. It says PermError SPF Permanent Error: Too many DNS lookup.
v=spf1 include:_spf.google.com include:netcore.co.in ~all
And my emails are landed in SPAM as well.
1) I am on shared hosting, I dont have dedicated IP and DKIM configured. Actually I dont send emails with spam triggering words. Since I am on shared hosting. Is there any possibility of other's on the shared hosting sending the emails which resulted in my emails to land in SPAM.
2) I am using the netcore.co.in to send the mass mails. and google.com to send the mails from gmail.
And I have properly configured MX records as well. I have mentioned google MX records But not netcore.net MX records.
I am using sendgrid's free smtp server to send the emails from my java web app. which i am not mentioned in spf record.
Is SPF record causing the spam issues.
You should have a look at this question I answered a few weeks ago:
Too many DNS lookups in an SPF record
You only get 10 DNS lookups for SPF (that's part of the protocol). There are automatically two lookups to get your TXT records and the actual SPF record. Without doing the actual math (I'll leave that to you as an exercise), you're hovering in the neighborhood of 13-14 lookups. You need to either consolidate your SPF records into one, or drop one of those services. (For instance, SendGrid allows you to do both transactional and mass mail under one set of IPs, so you could drop netcore or gmail entirely).
As for your spam issue, you should contact SendGrid support (http://support.sendgrid.com), that shouldn't be happening to you and they will be able to help you troubleshoot and resolve the issue.
Another option is to use an SPF Proxy service like spfproxy.org. It masks all the lookups behind a proxy that does it in the background. Takes just a couple minutes to setup. =
This has nothing to do with shared hosting, dedicated IP, DKIM set up or not, or if your content looks spammy.
The only culprit here is that your SPF contains 10+ mechanisms and/or modifiers that do DNS lookups. The SPF spec imposes this limit to prevent DDoS attacks.
You can use an online SPF checker to check the DNS lookup count in your SPF record: Online SPF checker
When "SPF PermError: too many DNS lookups" is returned during an SPF check, DMARC treats that as fail since it's a permanent error, and all SPF permanent errors are interpreted as fail by DMARC. This can have a negative impact on your email deliverability and you should seek a solution to this problem.
I've written a post on this topic: SPF PermError: too many DNS lookups