A little question on SPF-Records

Discussion in 'ISPConfig 3 Priority Support' started by schmidtedv, Mar 23, 2021.

  1. schmidtedv

    schmidtedv Member HowtoForge Supporter

    I'm using a dedicated server from Hetzner in Germany with ISPConfig and Ubuntu 16.04. This server manages our web-domains and mail-domains and has it's own RDNS mail.example.com. Other domains on this server are 123.de, 456.de, 789.de. MX-, A- and TXT-Records are managed by myself, but external over my Registrar-Accounts (HostEurope and Schlundtech). For each mail-domain I'm using DKIM and DMARC and created individual A-, MX- and TXT-Records as there are (short version):
    123.de A IPv4
    123.de TXT "v=spf1 a mx ~all"
    123.de MX 10 mail.123.de

    However, If I'm using some Formmailer on that server, the Mailheader might show up with [email protected]. So, to be safe, should I include the RDNS mail.example.com in my SPF-Record: "v=spf1 a mx a:mail.example.com ~all" ?

    Reason: At the moment gmx and web.de in germany are a pain in the ass and I'm trying to figure out, why our mails get permanently blocked without being on any RBL-List. mxtoolbox tells me everything is fine, but maybe the Formmailer, sending out copies to our customers by using the Server-RDNS, is - not being included in my SPF - a kind of reason?
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    SPF uses the IP. When adding a hostname, it will look up the IP for that hostname.

    EDIT: So no, there should be no need to add it.
  3. schmidtedv

    schmidtedv Member HowtoForge Supporter

    Ok, that's what I thougt in first place...thanks. However, sometimes I see some kind of warning in the Mailheader from forwarded Mails, telling me, that the sending Server was not the one that's expected to be authorised (or not matching the MX-Record, I can't remember exactly). Well, I will try to pick this up and tell exactly, when I receive this kind of Header again.
  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    SPF pertains to the helo hostname and envelope sender domain, both would probably use mail.example.com by default from using /usr/sbin/sendmail to send messages. So create an spf record for mail.example.com with "v=spf1 a ~all" (or -all).

    Then you can look at what coming from your formmailer actually uses for ehlo hostname and the envelope sender, it could in theory use something differently for either (if it sends via smtp or uses sendmail -f).

    SPF does not survive forwarding through mail systems unless the forwarding system changes the sending address.

    To help your mail delivery you want to have aligned spf and aligned dkim checks pass. dkim will survive most forwarding systems (though not all, some rewrite signed headers as it handles the message and can break dkim, too). And while putting those in place, setup dmarc records, eventually moving to a reject or quarantine policy, and that will improve your delivery as well.
  5. schmidtedv

    schmidtedv Member HowtoForge Supporter

    Ok, so - if I get this right - the shortest SPF for me (everything on 1 server) would be:
    v=spf1 ip4:xxx ip6:xxx -all
    Everything would be included and there should be nothing to complain about (at least the tools like mxtoolbox and so on don't). Everything else is handled by DKIM and DMARC and - if someone still blocks or unusually defers our mails - it should be a problem by himself (theoretical, ironic, cynical).
  6. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Yes, that's probably the shortest for a host's spf record. For domains you often have 'mx', 'a:www.domain.com' and some things, but it really depends on how much your addressing changes and how services are setup as to what to use.
    Yes, pretty much, for modern mail systems. You could argue a case that "-all" in an spf record is asking for mail to be rejected which does not pass spf (eg. like the mail your server sent and gets forwarded somewhere else), and that's certainly what was originally intended, but nowadays with the dmarc/dkim/spf combo I often see "-all" in use and it apparently isn't as much of a problem (I don't know an rfc reference which says the intention of -all changed, but I suspect there is such). Surely there will be mail systems out there that reject based on that; I would consider them "outdated" but you may run into them.

Share This Page