• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Trouble with spf

sp_tcset

New Pleskian
Hi,

I'm seeing this in my mail log:

Starting spf filter...
Error code: (18) Mechanisms used too many DNS lookups
SPF result: none
SPF status: PASS

That happens after the server received a message with a spoofed email address. If I check the spf record manually with dig for that domain, I see this:

"v=spf1 a mx ~all"

Which does't seem to exceed the limit of 10 DNS lookups. This is a problem for us since we are receiving spam and can't use spf to detect spoofed email addresses. My configuration under plesk is:
- Activate SPF
- Reject mail if SPF resolves to "fail" (deny)
- Local rules:
- Guess rules: v=spf1 +a +mx -all

Any help on how to solve this or at least how to prevent my spam issue?
 
Hello,

I managed to solve this by removing 1and1 as my secondary mail servers and removing local rules. But now SPF filter always says SOFTFAIL, while my domain SPF record does not allow this. My TXT record is:

v=spf1 a mx -all

But SPF filter solves SOFTFAIL when I send a spoofed email. I even tried in two different servers, both with plesk 12.5, one of them with CentOS 6.6 and the other with Ubuntu 12.04 LTS. Same results, always SOFTFAIL with the same DNS record.

I also used this tester (http://vamsoft.com/support/tools/spf-policy-tester) and it works like a charm, resolved to fail when it should and never resolves to SOFTFAIL. My plesk server doesn't behave this way. Any clue on how to solve this?

Thank you.
 
Hi sp_tcset,

"best" practiice to setup your SPF - entries is:

"v=spf1 +a +mx +a:hostname.server.com +ip4:XXX.XXX.XXX.XXX +ip6:XXXX:XXXX:XXXX:XXXX::X ?all"

... there should be an existing A - record, for your mail.domain.com
... the MX - record should match the A - record for your mail.domain.com
... the part "+a:hostname.server.com" should be existent and should match with your entry at : /etc/hostname
... it is wise to have a reverse entry to your entry at "/etc/hostname", which should resolve to your main IPv4 and a possible IPv6 address.
... list at least the main IPv4 of your server and if you setup your server as well with IPv6, don't forget to include that as suggested.
... don't be to strict with your "all" - setting. There is nothing wrong to use "~" or "?", when you setup your SPF - entry correctly.


Error code: (18) Mechanisms used too many DNS lookups
Please be aware that more than 10 DNS lookups in your SPF - setting will result in failures, no matter if each part might be correct. If you want to have a decent information on such errors, it is necessary that you provide the correct domain - name, or the IP.
 
@sp_tscet,

Also switch on the "spam protection based on DNS blackhole lists" and use (at least) zen.spamhaus.org.

If you are on a VPS, one could consider to use a/24 and mx/24, instead of simply a and mx. One should prefer the simple a and mx, for many reasons.

In addition, the spf record is a line of sequential rules (checked according to their place in the line), implying that "v=spf1 a mx ip4:<server IP> ip4:<server IP2, if any> ~all" is rather efficient (note that you can the ip6, but that is not strictly necessary).

Note that "?all" means "Neutral" and "~all" means "SoftFail", which implies that (only) "~all" results in "accept and mark" of mails, not passing the rules a, mx, ip4, ip6 etc.

Nothing wrong with "?all", but "~all" is more convenient, from the perspective of spam filtering purposes.

In general, it is not good to implement the strict "-all": it will do want you want, but in many cases additional issues can be occurring (for instance, too rigid filtering).

Finally, with respect to one post, in which you stated:

I managed to solve this by removing 1and1 as my secondary mail servers and removing local rules. But now SPF filter always says SOFTFAIL, while my domain SPF record does not allow this. My TXT record is:

v=spf1 a mx -all

But SPF filter solves SOFTFAIL when I send a spoofed email. I even tried in two different servers, both with plesk 12.5, one of them with CentOS 6.6 and the other with Ubuntu 12.04 LTS. Same results, always SOFTFAIL with the same DNS record.

I can only imagine that this particular behaviour, i.e. the dominance of the spf settings in the 1and1 servers, is the result of

1 - wrong MX priority of your own mail server, AND/OR
2 - incorrect DNS Records.

In general, it is "good practice" to have a secondary mail server, in order to have some sort of backup if one mail server goes down.

You should verify that:

- the MX priority of your own mail server is lower than the MX priority of the secondary mail servers (simply choose 5 for the primary mail server, this value always works)
- you have an A record pointing to the IP of your server, on which the mail server is hosted,
- if you have external nameservers (and that seems to be the case), the TXT record for spf is included at those external nameservers.

Finally, note that in your case the whole issue is probably due to the fact that you are using external nameservers: if Plesk is not used as a primary nameserver, the whole spf settings in Plesk (in your case: v=spf1 +a +mx -all) are not active (i.e. they are not effective) and other spf records are used.

If your nameservers do not contain a TXT record, it can be the case that you read out another spf record with the dig utility.

Anyway, just add a proper TXT record for spf to the nameservers used for the domain in question.

Hope the above helps...

Regards.....
 
@sp_tscet,

Also switch on the "spam protection based on DNS blackhole lists" and use (at least) zen.spamhaus.org.

If you are on a VPS, one could consider to use a/24 and mx/24, instead of simply a and mx. One should prefer the simple a and mx, for many reasons.

In addition, the spf record is a line of sequential rules (checked according to their place in the line), implying that "v=spf1 a mx ip4:<server IP> ip4:<server IP2, if any> ~all" is rather efficient (note that you can the ip6, but that is not strictly necessary).

Note that "?all" means "Neutral" and "~all" means "SoftFail", which implies that (only) "~all" results in "accept and mark" of mails, not passing the rules a, mx, ip4, ip6 etc.

Nothing wrong with "?all", but "~all" is more convenient, from the perspective of spam filtering purposes.

In general, it is not good to implement the strict "-all": it will do want you want, but in many cases additional issues can be occurring (for instance, too rigid filtering).

Finally, with respect to one post, in which you stated:



I can only imagine that this particular behaviour, i.e. the dominance of the spf settings in the 1and1 servers, is the result of

1 - wrong MX priority of your own mail server, AND/OR
2 - incorrect DNS Records.

In general, it is "good practice" to have a secondary mail server, in order to have some sort of backup if one mail server goes down.

You should verify that:

- the MX priority of your own mail server is lower than the MX priority of the secondary mail servers (simply choose 5 for the primary mail server, this value always works)
- you have an A record pointing to the IP of your server, on which the mail server is hosted,
- if you have external nameservers (and that seems to be the case), the TXT record for spf is included at those external nameservers.

Finally, note that in your case the whole issue is probably due to the fact that you are using external nameservers: if Plesk is not used as a primary nameserver, the whole spf settings in Plesk (in your case: v=spf1 +a +mx -all) are not active (i.e. they are not effective) and other spf records are used.

If your nameservers do not contain a TXT record, it can be the case that you read out another spf record with the dig utility.

Anyway, just add a proper TXT record for spf to the nameservers used for the domain in question.

Hope the above helps...

Regards.....


Hello,

I'm already using "spam protection based on DNS blackhole list". Also, I'm using only one MX server to test this spf setting. So this isn't related about priorioties. My domain is olewebs.com, 1and1 says my TXT record is v=spf1 +a +mx -all and I checked that with the dig utility. You can check that just in case you see something wrong. Also, I tried with another domain from hostytec. Same result.

1and1 lets me add both txt and spf records. I've read that it's advisable that both contain the same string. I'm trying that at the moment, going to wait until DNS changes propagate to see what happens. But imho this is a plesk issue. If I understood SPF and both 1and1 and dig utility aren't wrong, that txt entry should never result into SOFTFAIL.

I need to be that strict with this particular domain since it's important for us and our clients are receiving spoofed emails. I can only think of SPF records to solve this.

Thank you for your help, any more advice on how to solve this would be appreciated.
 
Last edited:
Hi sp_tcset,

both ( IPv4 + IPv6 ) doesn't resolve to your actual SPF - settings, when you do a reverse check - they resolve to your server - hostname ( s17816419.onlinehome-server.info ) , but your hostname is not included, as I already suggested.
"v=spf1 +a +mx +a:hostname.server.com +ip4:XXX.XXX.XXX.XXX +ip6:XXXX:XXXX:XXXX:XXXX::X ?all"



SPF - entries with the record type 99 are depricated, so you can safely delete the record: olewebs.com. 3599 IN SPF "v=spf1 a mx -all"
As you now actually have a SPF - entry, setup as TXT record type ( 16 ), there is as well no need for this additional, depricated SPF - record.

Please read RFC 7208, sect. 3.1, if you need further informations:
3.1. DNS Resource Records

SPF records MUST be published as a DNS TXT (type 16) Resource Record
(RR) [RFC1035] only. The character content of the record is encoded
as [US-ASCII]. Use of alternative DNS RR types was supported in
SPF's experimental phase but has been discontinued.

In 2003, when SPF was first being developed, the requirements for
assignment of a new DNS RR type were considerably more stringent than
they are now. Additionally, support for easy deployment of new DNS

RR types was not widely deployed in DNS servers and provisioning
systems. As a result, developers of SPF found it easier and more
practical to use the TXT RR type for SPF records.

In its review of [RFC4408], the SPFbis working group concluded that
its dual RR type transition model was fundamentally flawed since it
contained no common RR type that implementers were required to serve
and required to check. Many alternatives were considered to resolve
this issue, but ultimately the working group concluded that
significant migration to the SPF RR type in the foreseeable future
was very unlikely and that the best solution for resolving this
interoperability issue was to drop support for the SPF RR type from
SPF version 1. See Appendix A of [RFC6686] for further information.

The circumstances surrounding SPF's initial deployment a decade ago
are unique. If a future update to SPF were developed that did not
reuse existing SPF records, it could use the SPF RR type. SPF's use
of the TXT RR type for structured data should in no way be taken as
precedent for future protocol designers. Further discussion of
design considerations when using new DNS RR types can be found in
[RFC5507].


If you insist of using the "-all" - option at your DNS - settings, please keep in mind, that ALL your settings have to meet the settings and failures will result in SOFTFAILS or FAILS, your eMails might not be delivered in these cases. As already mentioned, a reverse check of your IPv4 and IPv6 result in pointing to "s17816419.onlinehome-server.info", but this is not included in your DNS - TXT - record for SPF.
The reverse of an IPv4 and/or IPv6 can be changed over the control panel from your server - hosting - provider 1and1, or if they don't have this option, please contact their support and request the desired change.




As I now noticed, when reading your initial post again, is the fact, that you copied a message from your mail.log, while YOUR mail - server checked an incomming eMail. Please be aware, that the settings under "Switch on SPF spam protection" has got nothing to with your own eMails from your server, these are all settings, how YOUR mail - server should handle incomming eMails. Outgoing eMails from your server are not checked for SPF - rules.

Starting spf filter...
Error code: (18) Mechanisms used too many DNS lookups
SPF result: none
SPF status: PASS
If you setup "SPF checking continues when there are DNS lookup problems", then possible errors like the copied one will result in a "pass" for the incomming eMail.
 
Hi sp_tcset,

both ( IPv4 + IPv6 ) doesn't resolve to your actual SPF - settings, when you do a reverse check - they resolve to your server - hostname ( s17816419.onlinehome-server.info ) , but your hostname is not included, as I already suggested.




SPF - entries with the record type 99 are depricated, so you can safely delete the record: olewebs.com. 3599 IN SPF "v=spf1 a mx -all"
As you now actually have a SPF - entry, setup as TXT record type ( 16 ), there is as well no need for this additional, depricated SPF - record.

Please read RFC 7208, sect. 3.1, if you need further informations:



If you insist of using the "-all" - option at your DNS - settings, please keep in mind, that ALL your settings have to meet the settings and failures will result in SOFTFAILS or FAILS, your eMails might not be delivered in these cases. As already mentioned, a reverse check of your IPv4 and IPv6 result in pointing to "s17816419.onlinehome-server.info", but this is not included in your DNS - TXT - record for SPF.
The reverse of an IPv4 and/or IPv6 can be changed over the control panel from your server - hosting - provider 1and1, or if they don't have this option, please contact their support and request the desired change.




As I now noticed, when reading your initial post again, is the fact, that you copied a message from your mail.log, while YOUR mail - server checked an incomming eMail. Please be aware, that the settings under "Switch on SPF spam protection" has got nothing to with your own eMails from your server, these are all settings, how YOUR mail - server should handle incomming eMails. Outgoing eMails from your server are not checked for SPF - rules.


If you setup "SPF checking continues when there are DNS lookup problems", then possible errors like the copied one will result in a "pass" for the incomming eMail.

Hi,

Thanks for your answer. Already included the A, ip4 and ip6 settings to my TXT record and deleted the SPF record. I still experience the same issue. As for the last part of your post, I'm using 2 plesk servers to test this. That mail.log was from the server which received the spoofed email. That server receives an email from X.X.X.X claiming it's from olewebs.com, but it is not, as olewebs.com is hosted at Y.Y.Y.Y. Then plesk resolved to SOFTFAIL, but it shouldn't do that. I'd expect PASS/HARDFAIL, but not a SOFTFAIL as I did not even include the SOFTFAIL(~) operator in my TXT settings. This is what I don't understand.

Let me explain better:
In X.X.X.X server, which DOES NOT host olewebs.com mail, I use this command in terminal:
Code:
 echo "hello" | mail -r "[email protected]" -s "hello" "[email protected]"

Now, my domain.com is hosted at Y.Y.Y.Y. I check the mail.log for this server and see this:
Code:
postfix/cleanup[5024]: 5E93420847: message-id=<5652c396.XRqtj7TjrZNtsGt9%[email protected]>
/usr/lib64/plesk-9.0/psa-pc-remote[19459]: handlers_stderr: SKIP
/usr/lib64/plesk-9.0/psa-pc-remote[19459]: SKIP during call 'limit-out' handler
/usr/lib64/plesk-9.0/psa-pc-remote[19459]: handlers_stderr: SKIP
/usr/lib64/plesk-9.0/psa-pc-remote[19459]: SKIP during call 'check-quota' handler
spf filter[5027]: Starting spf filter...
spf filter[5027]: SPF result: softfail
spf filter[5027]: SPF status: PASS
/usr/lib64/plesk-9.0/psa-pc-remote[19459]: handlers_stderr: PASS
/usr/lib64/plesk-9.0/psa-pc-remote[19459]: PASS during call 'spf' handler
postfix/qmgr[19484]: 5E93420847: from=<[email protected]>, size=739, nrcpt=1 (queue active)

You can see that plesk resolved to SOFTFAIL and the email got delivered. Then I use dig to check the TXT record and see this:
Code:
"v=spf1 +a +mx +a:s17816419.onlinehome-server.info +ip4:87.106.220.6 +ip6:2001:8d8:8b3:6000::4e:c5a0 -all"

As I said, I don't understand why plesk manages this as a SOFTFAIL.

Thank you for your attention.
 
Hi sp_tcset,

we are not able to GUESS, why the header of your mail from servers x have a softfail. You don't include any informations which lets us investigate server x and it's configuration.
 
Hi sp_tcset,

the spf filter checks the HEADER of an eMail, so please consider to post the header from your mail ( uncensored ), if you would like help with the investigations.
 
Hi sp_tcset,

the spf filter checks the HEADER of an eMail, so please consider to post the header from your mail ( uncensored ), if you would like help with the investigations.

Here are the headers I can see when I receive the spoofed email.

Code:
DomainKey-Status: no signature
Return-Path: <[email protected]>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
   s16268349.onlinehome-server.info
X-Spam-Level:
X-Spam-Status: No, score=-0.7 required=7.0 tests=RCVD_IN_DNSWL_LOW
   autolearn=ham version=3.3.1
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from host.inteinet.net (inteinet.net [84.124.37.77])
   by s16268349.onlinehome-server.info (Postfix) with ESMTPS id F3C8729EA5
   for <[email protected]>; Mon, 23 Nov 2015 13:39:16 +0100 (CET)
Received-SPF: softfail (s16268349.onlinehome-server.info: transitioning domain of olewebs.com does not designate 84.124.37.77 as permitted sender) client-ip=84.124.37.77; [email protected]; helo=host.inteinet.net;
Received: by host.inteinet.net (Postfix, from userid 0)
   id 89F3C1C00B6; Mon, 23 Nov 2015 13:39:13 +0100 (CET)
Date: Mon, 23 Nov 2015 13:39:13 +0100
From: [email protected]
To: [email protected]
Subject: hello
Message-ID: <565308f1.Qg7bnVI+4zn/xLWP%[email protected]>
User-Agent: Heirloom mailx 12.5 6/20/10
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-PPP-Message-ID: <[email protected]>
X-PPP-Vhost: host.inteinet.net
X-Antivirus: avast! (VPS 151123-0, 11/23/2015), Inbound message
X-Antivirus-Status: Clean
 
Hi sp_tcset,

a "SOFTFAIL" will be treated as "NEUTRAL" ( = PASS ) as you can see in the documentation ( http://www.openspf.org/RFC_4408#op-checking ):
2.5.5. SoftFail
A "SoftFail" result should be treated as somewhere between a "Fail" and a "Neutral". The domain believes the host is not authorized but is not willing to make that strong of a statement. Receiving software SHOULD NOT reject the message based solely on this result, but MAY subject the message to closer scrutiny than normal.

The domain owner wants to discourage the use of this host and thus desires limited feedback when a "SoftFail" result occurs. For example, the recipient's Mail User Agent (MUA) could highlight the "SoftFail" status, or the receiving MTA could give the sender a message using a technique called "greylisting" whereby the MTA can issue an SMTP reply code of 451 (4.3.0 DSN code) with a note the first time the message is received, but accept it the second time.

and your current setting is:
Reject mail if SPF resolves to "fail" (deny)
 
@sp_tcset

To be honest, you are making a problem of something that is "indifferent", in the sense that SOFTFAIL and HARDFAIL are (more or less) the same in your case.

There have been many miscommunications, leading to some confusing questions and answers.

The main "miscommunication" is that your mail gets parsed for spf records on the "host.inteinet.net" server, which is completely different from the "olewebs.com" server.

In fact, your mail gets passed around some servers, with mail ending up on the "host.inteinet.net" server.

Sure, the "host.inteinet.net" server is the origin of the mail being send, but it is also the receiving mail server.

All the above sounds a little bit strange and can be deemed very exceptional, but it can be the case: platforms running with multiple VPS and a central mail server, i.e. a sort of relay.

The before mentioned platform setup is really bad, amongst others for the fact that the (open) relay can be used (i.e. used or hacked) as a spam server.

You noticed already that some significant mail spoofing took place, well, there is your answer and root cause of the problem.

The SPF records do not really alter anything:

- you can change spf anyway you want, but if there is indeed a relay (i.e. central mail server) present, then the spf settings of that mail server prevail and dominate,
- you cannot tackle spam by altering spf, if there is indeed a relay (i.e. a central mail server) present, since that relay is very likely to be the compromised mail server,

and it must be clear by now that you really should change something about the setup of YOUR mail servers and, if possible, the PLATFORM setup (i.e. no relay).

In short, check the presence of a relay server first.

If you ask me, there is a factual relay server OR a setting that makes specific mail servers function as a relay server.

After all, you send from "olewebs.com" (87.106.220.6) to "tcset.com" (82.165.193.105), a domain running on s16268349.onlinehome-server.info (82.165.193.105).

In a normal world, the "host.inteinet.net" server should not be present in the mail sending process, but it is, implying that some (mail or other) server is interfering in the process.

However, there is another "miscommunication" that should be taken into account.

You try to send from [email protected] to [email protected] and this results in the hint that a mail server is interfering, as such hinting the presence of a dangerous relay.

In general, you should always try to duplicate errors and/or verify results by:

a) sending mail from some general mailbox (gmail for instance) to [email protected] AND sending a separate mail from some general mail (gmail for instance) to [email protected]: this allows you to determine on which business end (tcset.com or olewebs.com) the "SOFTFAIL error" is caused (i.e. isolation of WHERE the issue occurs),

b) reply to the messages send to the general mailbox (for instance, if using gmail, reply to the gmail address and check the "original message" in gmail),

c) send mail from [email protected] to [email protected]: this allows you to determine WHAT causes the "SOFTFAIL error".

If you ask me, action a AND c will not yield any issue at all, but action b will probably result in output containing lines with "SOFTFAIL" and "host.inteinet.net".

If the before mentioned result occurs again, then there is an relay.

This relay can be closed or open, but it is very likely that it is open, given the spoofed mail that you have spoken of.

It is very likely that you cannot change anything outside your VPS, so be aware that you can also prevent mail spamming & spoofing by using other tools, such as

- Domain Keys,
- DMARC records (just Google it, Google has a simple explanation and on this forum there is also a couple of threads with respect to DMARC)

and even consider to get a VPS elsewhere: your domain/server reputation can be already compromised, potentially resulting in an ineffective (blacklisted) mail server.

Hope the above helps...

Regards....
 
Back
Top