Having trouble with SPF Record

September 6, 2014 4.8k views
guice
By:
guice

I'm trying to understand SPF records. I was under the impression SPF is used to give permission to hosts to send emails on the domain's behalf (eg: from address). But this doesn't look right.

I have a test domain: crine.net
I added a TXT SPF record: "v=spf1 a mx ip4:162.243.152.25 include:_spf.google.com ~all"

;; ANSWER SECTION:
crine.net.      300 IN  TXT "v=spf1 a mx ip4:162.243.152.25  include:_spf.google.com ~all"

I sent a test email from my work account to a @crine.net address. I have Postfix configured to forward @crine.net to me@gmail.com. My vhost (162.243.152.25) has been set to accept @crine.net.

I did successfully get the email within Gmail. However, I found this in the headers:

Received-SPF: fail (google.com: domain of me@work-domain.com does not designate 162.243.152.25 as permitted sender) client-ip=162.243.152.25;
Authentication-Results: mx.google.com;
   spf=hardfail (google.com: domain of me@work-domain.com does not designate 162.243.152.25 as permitted sender) smtp.mail=me@work-domain.com;

I don't get it. I sent the email to @crine.net. 162.243.152.25 is my vhost IP address. It is in my spf record. What is this message actually saying? Why does it appear to me to be saying me@work-domain.com doesn't permit my vhost as a permitted sender?

1 comment
  • guice September 6, 2014

    Addition: upon further reading of SPF records, I'm starting to see my original view was a bit off. I was under the impression to address would be the tested record when relaying from my vhost. Now, I'm starting to see why this is failing:

    • @work-domain.com is the original sender, originally sent from my work's SMTP relay. Sending an email directly to @gmail.com results in a Received-SPF: pass.

    Because the email is being forwarded, it's changing the SMTP relay to my vhost. And since @work-domain.com isn't set to allow my vhost to be an originating SMTP sender, it's resulting in a fail.

    SPF Records are really just for sending emails, not validating send routes.

    New Question: Is there anything I can do to tell @gmail that my vhost is a valid relay for @mydomain.com?

Log In to Comment
2 Answers
aguilar1181 September 6, 2014

Did you add it a TXT record on your DO DNS tab to match the spf?

Reply
  • guice September 6, 2014

    That "ANSWER SECTION:" is the actual dig txt output of crine.net. I'm using Cloudflare for DNS (due to its faster TTL - DO's TTL was actually a problem).

    However, old the crine.net DO DNS record still does exist, and the SPF records do match.

guice September 6, 2014

Solution

Okay, so I did a little more research and I found some interesting things:

SPF "breaks" email forwarding.

via: http://www.openspf.org/SRS

Yup! So, the solution here is to use SRS, in combination with SPF. I found a great quick tutorial for installing a PostSRS deamon: https://www.mind-it.info/forward-postfix-spf-srs/

In addition to this, I highly recommend updating main.cf 'mydomain' to be the desired from: domain you've setup SPF against. In addition, change the postsrsd process to run under 'postfix' in /etc/default/postsrsd.

ps -ef | grep postfix should then show a new postsrsd process, with your domain under -d parameter.

Reply
Have another answer? Share your knowledge.