• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Question SPF activation with relay server

nuno.pereira

New Pleskian
Server operating system version
CentOS Linux release 7.9.2009 (Core)
Plesk version and microupdate number
Version 18.0.55
In Plesk server (cal it plesk.mydomain.com) I have domains like client-a.com and client-b.com. Most of the domains have MX records that point to mx.mycompany.com (with higher priority) and to plesk.mydomain.com (with lower priority), but others have just plesk.mydomain.com.

The domains client-a.com and client-b.com have SPF records that include the MX records, A records and includes the SPF of plesk.mydomain.com (ex: "v=spf1 +mx +a +include:plesk.mydomain.com -all", where plesk.mydomain.com is something like "v=spf1 +mx +ip4:A.B.C.D/25 +ip4:X.Y.W.Z/26 -all").
Emails sent from client-a.com to external domains are working well like so, as Plesk server sends emails directly to the destination.

SPF verification isn't activated on the Plesk server.
I tried to activate it, but it's not working well. Remember that emails sent from external domains (like anotherdomain.org) are sent to mx.company.com (primary MX server), which sends it to plesk.mydomain.com. Like so, plesk.mydomain.com rejects it on SPF validation, as mx.company.com isn't in the SPF records of anotherdomain.org (which I can't control).

How can I configure Plesk to have SPF validation working when there's a relay server for incoming email? I tried to put "local spf rules" configuration on plesk to include mx.company.com, but that won't work when anotherdomain.org sends emails directly to client-b.com. Or can it?
Is there a way for SPF verification to whitelist a pool of servers?
 
I am not entirely sure, but I think I remember a case where simply entering the forwarding server name into the "SPF local rules" of the general mail server settings was enough to let all mails from that server pass. Maybe you can try it and let us know whether that worked?
 
Yes, @Peter Debik is right. For the use case you're describing you can add an SPF mechanism with a reference to your relay sever to the SPF local rules in Plesk.
 
I am not entirely sure, but I think I remember a case where simply entering the forwarding server name into the "SPF local rules" of the general mail server settings was enough to let all mails from that server pass. Maybe you can try it and let us know whether that worked?

The thing with SPF local rules is this message in the manual:
Note: If the mail server detects no SPF record, the resulting policy will comprise the local rules only.
In case of a domain configured with valid SPF rules, this seems to work. But when there's no SPF rule for the sender domain, my rule is the only one, and this fails in that case, or am I seeing it wrong?

What SPF rule do you suggest? Initially I've put this "v=spf1 a mx ip4:ip1/32 ip4:ip2/32 ~all", but now I've removed the rule for all and is at "v=spf1 a mx ip4:ip1/32 ip4:ip2/32", and everything seems to pass, but I still need to confirm that it's passing correctly.
So far, every single email has passed, which seems odd.
 
Back
Top