Question

Having trouble with SPF Record

  • Posted September 6, 2014

I’m trying to understand SPF records. I was under the impression SPF is used to give permission to hosts to send emails on the domain’s behalf (eg: from address). But this doesn’t look right.

I have a test domain: crine.net I added a TXT SPF record: “v=spf1 a mx ip4:162.243.152.25 include:_spf.google.com ~all”

;; ANSWER SECTION:
crine.net.		300	IN	TXT	"v=spf1 a mx ip4:162.243.152.25  include:_spf.google.com ~all"

I sent a test email from my work account to a @crine.net address. I have Postfix configured to forward @crine.net to me@gmail.com. My vhost (162.243.152.25) has been set to accept @crine.net.

I did successfully get the email within Gmail. However, I found this in the headers:

Received-SPF: fail (google.com: domain of me@work-domain.com does not designate 162.243.152.25 as permitted sender) client-ip=162.243.152.25;
Authentication-Results: mx.google.com;
   spf=hardfail (google.com: domain of me@work-domain.com does not designate 162.243.152.25 as permitted sender) smtp.mail=me@work-domain.com;

I don’t get it. I sent the email to @crine.net. 162.243.152.25 is my vhost IP address. It is in my spf record. What is this message actually saying? Why does it appear to me to be saying me@work-domain.com doesn’t permit my vhost as a permitted sender?

Subscribe
Share

This comment has been deleted

Addition: upon further reading of SPF records, I’m starting to see my original view was a bit off. I was under the impression to address would be the tested record when relaying from my vhost. Now, I’m starting to see why this is failing:

  • @work-domain.com is the original sender, originally sent from my work’s SMTP relay. Sending an email directly to @gmail.com results in a Received-SPF: pass.

Because the email is being forwarded, it’s changing the SMTP relay to my vhost. And since @work-domain.com isn’t set to allow my vhost to be an originating SMTP sender, it’s resulting in a fail.

SPF Records are really just for sending emails, not validating send routes.

New Question: Is there anything I can do to tell @gmail that my vhost is a valid relay for @mydomain.com?


Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Solution

Okay, so I did a little more research and I found some interesting things:

SPF “breaks” email forwarding.

via: http://www.openspf.org/SRS

Yup! So, the solution here is to use SRS, in combination with SPF. I found a great quick tutorial for installing a PostSRS deamon: https://www.mind-it.info/forward-postfix-spf-srs/

In addition to this, I highly recommend updating main.cf ‘mydomain’ to be the desired from: domain you’ve setup SPF against. In addition, change the postsrsd process to run under ‘postfix’ in /etc/default/postsrsd.

ps -ef | grep postfix should then show a new postsrsd process, with your domain under -d parameter.

Did you add it a TXT record on your DO DNS tab to match the spf?