Facebook
TwitterJose GOmez
New Pleskian
Hi, I found and issue where some genuine emails coming from Office365 or Google servers were rejected by the SPF check on our server, only disabling the SPF check on Plesk (12.5) was helping.
I found this article (https://kb.plesk.com/en/124056), and removed the SPF local rule (include:spf.trusted-forwarder.org), and activated again the SPF check on the panel. But genuine emails were still rejected.
I examined the rejected emails, and their SPF DNS record contained for example this:
v=spf1 include:_spf.google.com ~all
Applying the same login on this article, a ping to _spf.google.com gives you "Unknown host", but SPF doesn't resolve the domain on the "include" directive, it checks the SPF DNS record, so the SPF record for _spf.google.com exists and is:
v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all
If you keep checking the SPF of _netblocks.google.com, _netblocks2.google.com and _netblocks3.google.com, it finally gives you lists of IPs.
I checked and the IP's of the emails rejected were included on the SPF records, yet Plesk SPF check was still rejecting the emails. I believe this could be a bug or some kind of misconfiguration, I tested this on a fresh Plesk 12.5 server. My only solution so far is to disable SPF check (which gives the users on this server to receive tons of spam), or include all IP's of Office3665 or Google servers on the whitelist of the email configuration. But I believe adding tons of IP's to the whitelist is not the best solution, so any help appreciated.
Also this article I believe is wrong on that the issue is not that you cannot ping spf.trusted-forwarder.org, is that you cannot find a SPF DNS record for this domain.
Regards.
I found this article (https://kb.plesk.com/en/124056), and removed the SPF local rule (include:spf.trusted-forwarder.org), and activated again the SPF check on the panel. But genuine emails were still rejected.
I examined the rejected emails, and their SPF DNS record contained for example this:
v=spf1 include:_spf.google.com ~all
Applying the same login on this article, a ping to _spf.google.com gives you "Unknown host", but SPF doesn't resolve the domain on the "include" directive, it checks the SPF DNS record, so the SPF record for _spf.google.com exists and is:
v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all
If you keep checking the SPF of _netblocks.google.com, _netblocks2.google.com and _netblocks3.google.com, it finally gives you lists of IPs.
I checked and the IP's of the emails rejected were included on the SPF records, yet Plesk SPF check was still rejecting the emails. I believe this could be a bug or some kind of misconfiguration, I tested this on a fresh Plesk 12.5 server. My only solution so far is to disable SPF check (which gives the users on this server to receive tons of spam), or include all IP's of Office3665 or Google servers on the whitelist of the email configuration. But I believe adding tons of IP's to the whitelist is not the best solution, so any help appreciated.
Also this article I believe is wrong on that the issue is not that you cannot ping spf.trusted-forwarder.org, is that you cannot find a SPF DNS record for this domain.
Regards.
