• Hi, Pleskians! We are running a UX testing of our upcoming product intended for server management and monitoring.
    We would like to invite you to have a call with us and have some fun checking our prototype. The agenda is pretty simple - we bring new design and some scenarios that you need to walk through and succeed. We will be watching and taking insights for further development of the design.
    If you would like to participate, please use this link to book a meeting. We will sent the link to the clickable prototype at the meeting.
  • Our UX team believes in the in the power of direct feedback and would like to invite you to participate in interviews, tests, and surveys.
    To stay in the loop and never miss an opportunity to share your thoughts, please subscribe to our UX research program. If you were previously part of the Plesk UX research program, please re-subscribe to continue receiving our invitations.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Question SPF activation with relay server

nuno.pereira

New Pleskian
Server operating system version
CentOS Linux release 7.9.2009 (Core)
Plesk version and microupdate number
Version 18.0.55
In Plesk server (cal it plesk.mydomain.com) I have domains like client-a.com and client-b.com. Most of the domains have MX records that point to mx.mycompany.com (with higher priority) and to plesk.mydomain.com (with lower priority), but others have just plesk.mydomain.com.

The domains client-a.com and client-b.com have SPF records that include the MX records, A records and includes the SPF of plesk.mydomain.com (ex: "v=spf1 +mx +a +include:plesk.mydomain.com -all", where plesk.mydomain.com is something like "v=spf1 +mx +ip4:A.B.C.D/25 +ip4:X.Y.W.Z/26 -all").
Emails sent from client-a.com to external domains are working well like so, as Plesk server sends emails directly to the destination.

SPF verification isn't activated on the Plesk server.
I tried to activate it, but it's not working well. Remember that emails sent from external domains (like anotherdomain.org) are sent to mx.company.com (primary MX server), which sends it to plesk.mydomain.com. Like so, plesk.mydomain.com rejects it on SPF validation, as mx.company.com isn't in the SPF records of anotherdomain.org (which I can't control).

How can I configure Plesk to have SPF validation working when there's a relay server for incoming email? I tried to put "local spf rules" configuration on plesk to include mx.company.com, but that won't work when anotherdomain.org sends emails directly to client-b.com. Or can it?
Is there a way for SPF verification to whitelist a pool of servers?
 
I am not entirely sure, but I think I remember a case where simply entering the forwarding server name into the "SPF local rules" of the general mail server settings was enough to let all mails from that server pass. Maybe you can try it and let us know whether that worked?
 
Yes, @Peter Debik is right. For the use case you're describing you can add an SPF mechanism with a reference to your relay sever to the SPF local rules in Plesk.
 
I am not entirely sure, but I think I remember a case where simply entering the forwarding server name into the "SPF local rules" of the general mail server settings was enough to let all mails from that server pass. Maybe you can try it and let us know whether that worked?

The thing with SPF local rules is this message in the manual:
Note: If the mail server detects no SPF record, the resulting policy will comprise the local rules only.
In case of a domain configured with valid SPF rules, this seems to work. But when there's no SPF rule for the sender domain, my rule is the only one, and this fails in that case, or am I seeing it wrong?

What SPF rule do you suggest? Initially I've put this "v=spf1 a mx ip4:ip1/32 ip4:ip2/32 ~all", but now I've removed the rule for all and is at "v=spf1 a mx ip4:ip1/32 ip4:ip2/32", and everything seems to pass, but I still need to confirm that it's passing correctly.
So far, every single email has passed, which seems odd.
 
Back
Top