Question
Having trouble with SPF Record
I’m trying to understand SPF records. I was under the impression SPF is used to give permission to hosts to send emails on the domain’s behalf (eg: from address). But this doesn’t look right.
I have a test domain: crine.net
I added a TXT SPF record: “v=spf1 a mx ip4:162.243.152.25 include:_spf.google.com ~all”
;; ANSWER SECTION:
crine.net. 300 IN TXT "v=spf1 a mx ip4:162.243.152.25 include:_spf.google.com ~all"
I sent a test email from my work account to a @crine.net address. I have Postfix configured to forward @crine.net to me@gmail.com. My vhost (162.243.152.25) has been set to accept @crine.net.
I did successfully get the email within Gmail. However, I found this in the headers:
Received-SPF: fail (google.com: domain of me@work-domain.com does not designate 162.243.152.25 as permitted sender) client-ip=162.243.152.25;
Authentication-Results: mx.google.com;
spf=hardfail (google.com: domain of me@work-domain.com does not designate 162.243.152.25 as permitted sender) smtp.mail=me@work-domain.com;
I don’t get it. I sent the email to @crine.net. 162.243.152.25 is my vhost IP address. It is in my spf record. What is this message actually saying? Why does it appear to me to be saying me@work-domain.com doesn’t permit my vhost as a permitted sender?
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
×
Addition: upon further reading of SPF records, I’m starting to see my original view was a bit off. I was under the impression to address would be the tested record when relaying from my vhost. Now, I’m starting to see why this is failing:
Received-SPF: pass
.Because the email is being forwarded, it’s changing the SMTP relay to my vhost. And since @work-domain.com isn’t set to allow my vhost to be an originating SMTP sender, it’s resulting in a
fail
.SPF Records are really just for sending emails, not validating send routes.
New Question: Is there anything I can do to tell @gmail that my vhost is a valid relay for @mydomain.com?