Resolved Error code: (26) DNS lookup failure, failed SPF check - spf.trusted-forwarder.org gone?

[flle]

Server operating system version

CentOS 7.9.209

Plesk version and microupdate number

Plesk Obsidian 18.0.53.0

Hi,
I noted today, that I got SPF defered messages in my mail log due to "DNS lookup failed".
Example:

after very extensive troubleshooting and around my DNS configuration and the SPF records of the sender domains which all looked good and healthy, I started sniffing the DNS traffic and realised that lookups for spf.trusted-forwarder.org failed! That finaly brought me on the right track.
"include:spf.trusted-forwarder.org" is a standard local rule of the Plesk SPF configuration:
mailserver: Mail Server Settings

after removing this rule the defered mails were passing SPF checks and were delivered again.
I could not figure out any more, what this include:spf.trusted-forwarder.org was really needed for, but apparently the DNS records for this trusted-forwarder.org domain are gone and thus breaking the SPF checks.
I started seeing the errors on June 7th 10:40 CET
This potentially affects A LOT OF mail server owners...
If someone has some additional info/insigths here I'd be happy to hear them.

Regards
Marc

 

[Kaspar]

Thank you for posting about this. However I suspect there is some confusion here. Plesk does not set or even recommends setting the local SPF rule to include:spf.trusted-forwarder.org and the and local SPF guess rules to v=spf1 +a/24 +mx/24 +ptr ?all. Those are just example values used in the Plesk documentation and should not be used in live environments.

 

[King555]

I was just about to create the same thread, then I found this among the similar threads after entering my title. I had exactly the same problem, possibly also from June 7th on. About 50% of the mails still arrived, the other 50% did not (certain providers did not arrive). After removing include:spf.trusted-forwarder.org the mails are now arriving one by one. I had this line in the settings because I thought it made sense. Apparently I was wrong.

 

[King555]

To add some more information (I would edit my post, but it's not possible after 4 minutes):

The domain (spf.trusted-forwarder.org) was down since 2023-06-06 08:34:51 (CET) according to my logs. And I used it successfully since the 7th of January, 2023. I had the recommendation to use this as the local rule from here: qmail SPF (Sender Policy Framework) patch

 

[Kaspar]

[...] I had the recommendation to use this as the local rule from here: qmail SPF (Sender Policy Framework) patch

Interesting. So after some Googling I found that on the Avenger SMTP MAN page trusted-forwarder.org is described as:

trusted-forwarder.org maintains a white-list of such sites, and it is highly recommended that you use this whitelist until SPF is more widely deployed.

It seems like include:spf.trusted-forwarder.org was actually a (somehow) widely used SPF whitelist from back in the day when SPF wasn't widely adopted yet. Which I wasn't aware of. Looks like the domain and SPF whitelist is no longer available (and weren't updated for years). Not sure why.

@Peter Debik perhaps it's worth considering for Plesk to update the documentation and remove any reference to spf.trusted-forwarder.org. Who know what's will happen to domain in the future ...

 

[Peter Debik]

@Kaspar That is a valid point. We'll discuss it here and eventually update software and documentation. Thank you for bringing this up.