Having trouble with SPF Record

Posted September 6, 2014 8.4k views

I’m trying to understand SPF records. I was under the impression SPF is used to give permission to hosts to send emails on the domain’s behalf (eg: from address). But this doesn’t look right.

I have a test domain:
I added a TXT SPF record: “v=spf1 a mx ip4: ~all”

;; ANSWER SECTION:      300 IN  TXT "v=spf1 a mx ip4: ~all"

I sent a test email from my work account to a address. I have Postfix configured to forward to My vhost ( has been set to accept

I did successfully get the email within Gmail. However, I found this in the headers:

Received-SPF: fail ( domain of does not designate as permitted sender) client-ip=;
   spf=hardfail ( domain of does not designate as permitted sender);

I don’t get it. I sent the email to is my vhost IP address. It is in my spf record. What is this message actually saying? Why does it appear to me to be saying doesn’t permit my vhost as a permitted sender?

1 comment
  • Addition: upon further reading of SPF records, I’m starting to see my original view was a bit off. I was under the impression to address would be the tested record when relaying from my vhost. Now, I’m starting to see why this is failing:

    • is the original sender, originally sent from my work’s SMTP relay. Sending an email directly to results in a Received-SPF: pass.

    Because the email is being forwarded, it’s changing the SMTP relay to my vhost. And since isn’t set to allow my vhost to be an originating SMTP sender, it’s resulting in a fail.

    SPF Records are really just for sending emails, not validating send routes.

    New Question: Is there anything I can do to tell @gmail that my vhost is a valid relay for

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
2 answers

Did you add it a TXT record on your DO DNS tab to match the spf?

  • That “ANSWER SECTION:” is the actual dig txt output of I’m using Cloudflare for DNS (due to its faster TTL - DO’s TTL was actually a problem).

    However, old the DO DNS record still does exist, and the SPF records do match.


Okay, so I did a little more research and I found some interesting things:

SPF “breaks” email forwarding.


Yup! So, the solution here is to use SRS, in combination with SPF. I found a great quick tutorial for installing a PostSRS deamon:

In addition to this, I highly recommend updating ‘mydomain’ to be the desired from: domain you’ve setup SPF against. In addition, change the postsrsd process to run under 'postfix’ in /etc/default/postsrsd.

ps -ef | grep postfix should then show a new postsrsd process, with your domain under -d parameter.