Question

How to correctly setup SPF

Posted April 13, 2021 1.1k views
EmailDNS

I have been trying to setup SPF records so that I can use postfix to send emails that can be received for confirmation purposes. Currently they either end up in the spam folder (like with gmail and sometimes yahoo) or they aren’t received at all (like with outlook).

I followed (https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-postfix-as-a-send-only-smtp-server-on-ubuntu-20-04) to setup postfix.

I have an A record that points to mydomain.com
I have a TXT record that consists of TXT @ v=spf1 a:mydomain.com ~all

When I send an email to a yahoo email address of mine I get this:

------Received: from 10.253.234.153
 by atlas315.free.mail.gq1.yahoo.com with HTTPS; Thu, 1 Apr 2021 20:06:01 +0000
Return-Path: <noreply@mydomain.com>
X-Originating-Ip: [164.90.140.91]
Received-SPF: none (domain of mydomain.com does not designate permitted sender hosts)
Authentication-Results: atlas315.free.mail.gq1.yahoo.com;
 dkim=unknown;
 spf=none smtp.mailfrom=mydomain.com;
 dmarc=unknown header.from=mydomain.com;
X-Apparently-To: seth.herendeen@yahoo.com; Thu, 1 Apr 2021 20:06:01 +0000
X-YMailISG: hmPM8z0WLDv6yfuMvxqCIwkZfXa2ZgbnRItnK9H.AADafoOT
 JdTXoWo4cM6w6ZtiPjCeFV9joQLXivz0BDJ4mo2zGSkGvaH0RzZ9V36jMAE8
 lKjMSriOgOxqqGlA99LQ2YU2WWBmJsld1A5TtVEIRimMKmBz2_d056l3GI0a
 7NPAazOh_9bXzddWfgOVQ8m7Hgd6PTzwWL4to6kumToGwdlKffD6ktmlPZEz
 gOZVto5YOEAyUXy1qThFat_nuLlr8d_aJMAPfMWvY7JTgvy1mn8MAQp5Rzfp
 9jQalBkRyd5Sb764eLTGN9n9sIlCqie2gCVMNQqntUzg1UmdZYqrjjRKA5if
 TmatCm29KB49yG2r3fPTNsgOLN6_WSZ5VKO3LsGdKQHd1muKZ1YTF8cV6Dcy
 TMfpvshNyZbMqIYIqzhU2kSxJS0qdE2TXUTE3iMKol1mG6IBW_2jBA_cwmoL
 tC3fGYghuVg0jav3pqlJhD3WEUR.BwnVBjb4lttDUen_0idjNwAThH2iTAej
 oU1PQANXGZ8CxHER3d7lwvR3rr_W98r3A8os56lrf5ZonQasGUHX0tApb1kH
 nN4Pr3a4W9OTzr79enSQ6kovHwq8aF6yxIyWyZmfEYn5d8r9s34Mv6voeji9
 yjdf7rUycQrX_T9D1ydFliSXI.ShVDUYW6BcNu_iQokRasR.Zeixt0ETcTng
 N6Yud5vs_0bFuLhUnunwlsvAh6BZUNzOvSQC1dkfATbK1Ps0iKiEvgooKFw4
 mjoet4bYEo.P0eRE_UdfFdcj2MZd..5Fcz0pTCkyMUiQhTFYdr6.lt1DPe5V
 BaShbps0ZLOSk_Va0IWFH._1.SR1PDf2lg5bnAS8iJ8qJTRtf.RDqXZLNtwM
 nnb3s3akrPMJOGb9qpOteE6Rt.qOSJInZW3HN9nDtLTpDP4I9ovA9XTvDhYE
 9Q--
Received: from 164.90.140.91 (EHLO mydomain.com)
 by 10.253.234.153 with SMTPs
 (version=TLS1_2 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256);
 Thu, 01 Apr 2021 20:06:01 +0000
Received: by mydomain.com (Postfix, from userid 0)
    id 6A4BF403C5; Thu,  1 Apr 2021 20:06:00 +0000 (UTC)
Received: from 10.253.234.153
 by atlas315.free.mail.gq1.yahoo.com with HTTPS; Thu, 1 Apr 2021 20:06:01 +0000
Return-Path: <noreply@mydomain.com>
X-Originating-Ip: [164.90.140.91]
Received-SPF: none (domain of mydomain.com does not designate permitted sender hosts)
Authentication-Results: atlas315.free.mail.gq1.yahoo.com;
 dkim=unknown;
 spf=none smtp.mailfrom=mydomain.com;
 dmarc=unknown header.from=mydomain.com;
X-Apparently-To: seth.herendeen@yahoo.com; Thu, 1 Apr 2021 20:06:01 +0000
X-YMailISG: hmPM8z0WLDv6yfuMvxqCIwkZfXa2ZgbnRItnK9H.AADafoOT
 JdTXoWo4cM6w6ZtiPjCeFV9joQLXivz0BDJ4mo2zGSkGvaH0RzZ9V36jMAE8
 lKjMSriOgOxqqGlA99LQ2YU2WWBmJsld1A5TtVEIRimMKmBz2_d056l3GI0a
 7NPAazOh_9bXzddWfgOVQ8m7Hgd6PTzwWL4to6kumToGwdlKffD6ktmlPZEz
 gOZVto5YOEAyUXy1qThFat_nuLlr8d_aJMAPfMWvY7JTgvy1mn8MAQp5Rzfp
 9jQalBkRyd5Sb764eLTGN9n9sIlCqie2gCVMNQqntUzg1UmdZYqrjjRKA5if
 TmatCm29KB49yG2r3fPTNsgOLN6_WSZ5VKO3LsGdKQHd1muKZ1YTF8cV6Dcy
 TMfpvshNyZbMqIYIqzhU2kSxJS0qdE2TXUTE3iMKol1mG6IBW_2jBA_cwmoL
 tC3fGYghuVg0jav3pqlJhD3WEUR.BwnVBjb4lttDUen_0idjNwAThH2iTAej
 oU1PQANXGZ8CxHER3d7lwvR3rr_W98r3A8os56lrf5ZonQasGUHX0tApb1kH
 nN4Pr3a4W9OTzr79enSQ6kovHwq8aF6yxIyWyZmfEYn5d8r9s34Mv6voeji9
 yjdf7rUycQrX_T9D1ydFliSXI.ShVDUYW6BcNu_iQokRasR.Zeixt0ETcTng
 N6Yud5vs_0bFuLhUnunwlsvAh6BZUNzOvSQC1dkfATbK1Ps0iKiEvgooKFw4
 mjoet4bYEo.P0eRE_UdfFdcj2MZd..5Fcz0pTCkyMUiQhTFYdr6.lt1DPe5V
 BaShbps0ZLOSk_Va0IWFH._1.SR1PDf2lg5bnAS8iJ8qJTRtf.RDqXZLNtwM
 nnb3s3akrPMJOGb9qpOteE6Rt.qOSJInZW3HN9nDtLTpDP4I9ovA9XTvDhYE
 9Q--
Received: from 164.90.140.91 (EHLO mydomain.com)
 by 10.253.234.153 with SMTPs
 (version=TLS1_2 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256);
 Thu, 01 Apr 2021 20:06:01 +0000
Received: by mydomain.com (Postfix, from userid 0)
    id 6A4BF403C5; Thu,  1 Apr 2021 20:06:00 +0000 (UTC)
-----

As you can see I get an spf=none result. Per the suggestion of (https://netcorecloud.com/tutorials/setup-spf-and-dkim-with-postfix-on-ubuntu/) I use DIG to see the current TXT record for my domain.

----
; <<>> DiG 9.16.1-Ubuntu <<>> mydomain.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49346
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;mydomain.com.                 IN      TXT

;; ANSWER SECTION:
mydomain.com.          1712    IN      TXT     "TXT  @  v=spf1 mx ~all"

;; Query time: 8 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Thu Apr 01 20:09:05 UTC 2021
;; MSG SIZE  rcvd: 77
----

I gather that it takes time for the TXT record to propagate but my TXT record does not currently resemble the result that DIG gives me, nor should it. Is this a consequence of me improperly formatting my SPF record? How do I do this correctly?


I tried waiting a few days. It is now the 13th. I have made no progress. It still says SPF=NONE.

edited by MattIPv4

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
1 answer

Hi there,

Usually, when specifying a domain name I would use include: rather than a:.

I could suggest changing your SPF record to:

v=spf1 include:your_domain.com ~all

Also, you could use this SPF tool here to get some more information about your SPF record:

https://www.digitalocean.com/community/tools/spf?

Note that after making the DNS change it could take up to 24 hours for the DNS cache to clear over the Globe.

Regards,
Bobby

  • Per your suggestion, I changed the SPF record to say v=spf1 include:mydomain.com ~all. I now receive spf=permerror. I will check again in 48 hours to see if the result changes.

    • Hello,

      What I could suggest is also extending the SPF record to include the IP address of your Droplet as follows:

      v=spf1 ip4:your_ip/32 include:your_domain.com ~all
      

      Let me know how it goes.
      Regards,
      Bobby