Help me understand SPF - the email kind, not the sun kind
September 20, 2013 5:53 AM Subscribe
I'm seeing neutral/softfail errors on our SPF info on remote email servers - how do I correct this?
I've read this ask mefi post (the only one I could find on setting up SPF, but I'm still confused as to what I need.
I have 5 domains that use a single email server. The reverse lookup for the email server name point to our firewall address, which routes mail to the email server (on a DMZ and using NAT). This may not be the best way to do this but it's what I have available now. I am going to move the email server to a publicly accessible address in the future.
In any case, everything works fine but looking at headers on email received at remote servers sent from domains other than our main domain get "softfail" errors for SPF info (IP addresses and domain names changed):
Softfail:
Received-SPF softfail (google.com: domain of transitioning me@OurSecondDomain.com does not designate 1.2.3.4 as permitted sender) client-ip=1.2.3.4;
Authentication-Results mx.google.com; spf=softfail (google.com: domain of transitioning me@OurSecondDomain.com does not designate 1.2.3.4 as permitted sender) smtp.mail=me@OurSecondDomain.com
And a "Neutral" result:
Neutral:
Received-SPF neutral (google.com: 1.2.3.4 is neither permitted nor denied by domain of me@OurMainDomain.com) client-ip=1.2.3.4;
Authentication-Results mx.google.com; spf=neutral (google.com: 1.2.3.4 is neither permitted nor denied by domain of me@OurMainDomain.com) smtp.mail=me@OurMainDomain.com
Our DNS is set up at HostGator (ick):
mail.OurMainDomain.com. 600 IN A 1.2.3.4
ourmaindomain.com. 600 IN TXT v=spf1 +a +mx +ip4:192.185.4.79 ?all
OurSecondDomain.com.com. 600 IN TXT v=spf1 a mx include:websitewelcome.com ~all
(I don't understand the txt record above - they add it automatically.. I don't even know what "websitewelcome.com" and 192.185.4.79 are?)
Is the TXT record(s) what is causing the neutral/softfail errors? How do I set up a "good" SPF record?
*The real reason for this question is that email from users on OurSecondDomain.com sent to a _single_ domain (and no others that I have been informed of) apparently never reach recipients there. Test messages, real messages anything. Although the logs of the SMTP transactions on our server show the messages as queued on the remote end there, they (recipients at remote domain) say they never receive it...? Email from OurMainDomain.com does get there, so I am wondering if the SPF record has anything to do with it or am I just barking up the wrong tree..?
Thanks
I've read this ask mefi post (the only one I could find on setting up SPF, but I'm still confused as to what I need.
I have 5 domains that use a single email server. The reverse lookup for the email server name point to our firewall address, which routes mail to the email server (on a DMZ and using NAT). This may not be the best way to do this but it's what I have available now. I am going to move the email server to a publicly accessible address in the future.
In any case, everything works fine but looking at headers on email received at remote servers sent from domains other than our main domain get "softfail" errors for SPF info (IP addresses and domain names changed):
Softfail:
Received-SPF softfail (google.com: domain of transitioning me@OurSecondDomain.com does not designate 1.2.3.4 as permitted sender) client-ip=1.2.3.4;
Authentication-Results mx.google.com; spf=softfail (google.com: domain of transitioning me@OurSecondDomain.com does not designate 1.2.3.4 as permitted sender) smtp.mail=me@OurSecondDomain.com
And a "Neutral" result:
Neutral:
Received-SPF neutral (google.com: 1.2.3.4 is neither permitted nor denied by domain of me@OurMainDomain.com) client-ip=1.2.3.4;
Authentication-Results mx.google.com; spf=neutral (google.com: 1.2.3.4 is neither permitted nor denied by domain of me@OurMainDomain.com) smtp.mail=me@OurMainDomain.com
Our DNS is set up at HostGator (ick):
mail.OurMainDomain.com. 600 IN A 1.2.3.4
ourmaindomain.com. 600 IN TXT v=spf1 +a +mx +ip4:192.185.4.79 ?all
OurSecondDomain.com.com. 600 IN TXT v=spf1 a mx include:websitewelcome.com ~all
(I don't understand the txt record above - they add it automatically.. I don't even know what "websitewelcome.com" and 192.185.4.79 are?)
Is the TXT record(s) what is causing the neutral/softfail errors? How do I set up a "good" SPF record?
*The real reason for this question is that email from users on OurSecondDomain.com sent to a _single_ domain (and no others that I have been informed of) apparently never reach recipients there. Test messages, real messages anything. Although the logs of the SMTP transactions on our server show the messages as queued on the remote end there, they (recipients at remote domain) say they never receive it...? Email from OurMainDomain.com does get there, so I am wondering if the SPF record has anything to do with it or am I just barking up the wrong tree..?
Thanks
Response by poster: Thanks - So, take out the "websitewelcome.com" and 192.185.4.79 and change the "+ip4:" to
"ip4:1.2.3.4"?
posted by dukes909 at 6:26 AM on September 20, 2013
"ip4:1.2.3.4"?
posted by dukes909 at 6:26 AM on September 20, 2013
Yup - here's an article you may find helpful: Make sure Sender Policy Framework (SPF) is correctly configured
posted by Slap*Happy at 6:47 AM on September 20, 2013 [1 favorite]
posted by Slap*Happy at 6:47 AM on September 20, 2013 [1 favorite]
Response by poster: Thank you, I am getting "Pass" results now -!
posted by dukes909 at 6:51 AM on September 20, 2013
posted by dukes909 at 6:51 AM on September 20, 2013
« Older How do I become a continuing legal education or... | Someone used my email address to order a cell... Newer »
This thread is closed to new comments.
Yikes, don't do that, you'll lose the protection the firewall affords (modern ones do deep packet inspection for countering application-specific threats, check with your vendor.)
I believe "websitewelcome.com" and 192.185.4.79 is Hostgator's mail host - I think they've set up their mail server in your domain's SPF config, but not yours.
The setting "+ip4:" is the IP of the mail servers permitted to send email for that domain. It needs to match the internet-facing NAT address for your mail server.
posted by Slap*Happy at 6:11 AM on September 20, 2013 [1 favorite]