• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

HELP - SPF DNS record preventing mail being sent

K

kuhle

Guest
Can anybody help? I have a domain with a TXT record of
v=spf1 a mx ptr -all

When trying to send an email to one particular customer, we get it undelivered with teh following message:

The mail system
<email address of recipient>: host recipientdomain.com[81.138.175.161] said: 550 failed
to meet SPF requirements (in reply to MAIL FROM command)

Then I checked SPF and got:
Checking to see if there is a valid SPF record.

Found v=spf1 record for mydomain.com
v=spf1 a mx ptr -all

evaluating...
SPF record passed validation test with pySPF (Python SPF library)!

but the SPF checking tool gives:
Input accepted, querying now...
evaluating v=spf1 a mx ptr -all ...
Results - record processed without error.

The result of the test (this should be the default result of your record) was, ambiguous . The explanation returned was, SPF Ambiguity Warning: No A records found for: 70-91-79-102-washingtondc.hfc.comcastbusiness.net

Can anybody tell me what is wrong?
 
Most likely it's actually a problem on their end. If they have their mail echanger server pass the message to another server inside BEFORE testing SPF, it'll fail the SPF test because you're using "-all" - which says "and no other servers are allowed to relay". The relay INSIDE their network is still considered the most recent relay server before SPF testing, so the message is refused.

Disable SPF (or switch it to "~all") temporarily. Send a new message to the person that you've been trying to reach. It will go through. Have them send you back the FULL HEADERS for the message they received. Check those headers for a relay action after your server hands off the message.

If it has one, contact their network admin/webmaster directly and see if he can fix his setup - make sure to explain that he's failing to obey the rules of SPF by testing it after a relay.

If he refuses to cooperate, and you absolutely must reach them by email, leave it as "~all". If he cooperates and fixes the mail server settings, turn it back to "-all".
 
I resolved this problem. It was not an SPF problem because SPF settings were the same for 2 domains, so we ruled that out.

In Server > Mail, we had enabled DomainKeys "Verify Incoming Mail". When we disabled that (and I think restarted Qmail and POP/IMAP services), it worked fine. Then we had more Spam coming in. The answer to that was to install spamdyke and that has resolved the problem with us. We do have ASL (Atomic Secured Linux) as server protection, and that is worth every penny that it costs. It also makes the installation of all the programmes rather easier.

I hope that helps you.
 
Back
Top