Question SPF activation with relay server

[nuno.pereira]

Server operating system version

CentOS Linux release 7.9.2009 (Core)

Plesk version and microupdate number

Version 18.0.55

In Plesk server (cal it plesk.mydomain.com) I have domains like client-a.com and client-b.com. Most of the domains have MX records that point to mx.mycompany.com (with higher priority) and to plesk.mydomain.com (with lower priority), but others have just plesk.mydomain.com.

The domains client-a.com and client-b.com have SPF records that include the MX records, A records and includes the SPF of plesk.mydomain.com (ex: "v=spf1 +mx +a +includelesk.mydomain.com -all", where plesk.mydomain.com is something like "v=spf1 +mx +ip4:A.B.C.D/25 +ip4:X.Y.W.Z/26 -all").
Emails sent from client-a.com to external domains are working well like so, as Plesk server sends emails directly to the destination.

SPF verification isn't activated on the Plesk server.
I tried to activate it, but it's not working well. Remember that emails sent from external domains (like anotherdomain.org) are sent to mx.company.com (primary MX server), which sends it to plesk.mydomain.com. Like so, plesk.mydomain.com rejects it on SPF validation, as mx.company.com isn't in the SPF records of anotherdomain.org (which I can't control).

How can I configure Plesk to have SPF validation working when there's a relay server for incoming email? I tried to put "local spf rules" configuration on plesk to include mx.company.com, but that won't work when anotherdomain.org sends emails directly to client-b.com. Or can it?
Is there a way for SPF verification to whitelist a pool of servers?

 

[Peter Debik]

I am not entirely sure, but I think I remember a case where simply entering the forwarding server name into the "SPF local rules" of the general mail server settings was enough to let all mails from that server pass. Maybe you can try it and let us know whether that worked?

 

[Kaspar]

Yes, @Peter Debik is right. For the use case you're describing you can add an SPF mechanism with a reference to your relay sever to the SPF local rules in Plesk.

 

[nuno.pereira]

I am not entirely sure, but I think I remember a case where simply entering the forwarding server name into the "SPF local rules" of the general mail server settings was enough to let all mails from that server pass. Maybe you can try it and let us know whether that worked?

The thing with SPF local rules is this message in the manual:

Note: If the mail server detects no SPF record, the resulting policy will comprise the local rules only.

In case of a domain configured with valid SPF rules, this seems to work. But when there's no SPF rule for the sender domain, my rule is the only one, and this fails in that case, or am I seeing it wrong?

What SPF rule do you suggest? Initially I've put this "v=spf1 a mx ip4:ip1/32 ip4:ip2/32 ~all", but now I've removed the rule for all and is at "v=spf1 a mx ip4:ip1/32 ip4:ip2/32", and everything seems to pass, but I still need to confirm that it's passing correctly.
So far, every single email has passed, which seems odd.

 

[nuno.pereira]

The thing with SPF local rules is this message in the manual:

The URL to the manual is the following: DKIM, SPF, and DMARC Protection