Completely lost in SPF! please help

Discussion in 'Server Operation' started by phinex, Mar 18, 2012.

  1. phinex

    phinex New Member

    Hi there,

    My setup is as below:

    VPS (Debian,Postfix,Dovecot, System accounts as email address')
    Domain name: example.biz
    Host name: mail.example.biz
    IP address: 62.75.aaa.bb
    EHLO: mail.example.biz
    RDNS: mail.example.biz
    Email account: name@example.biz
    Sending from: Evolution SMTP on port: 26
    Server: for sending and receiving emails & web server exclusively for one domain
    IP: one dedicated IP only
    DNS recrods:
    Code:
    -/-          A	        	62.75.aaa.bb	
    ftp 	      A 	  	62.75.aaa.bb 	  	  	
    mail 	      A 	  	62.75.aaa.bb 	  	  	
    -/-          MX	      1 	mail.example.biz
    -/-          TXT                v=spf1 ip4:62.75.aaa.bb -all
    mail 	     TXT	  	v=spf1 ip4:62.75.aaa.bb -all 	  	  	
    imap        CNAME	        mail.example.biz 	  	  	
    pop 	     CNAME	  	mail.example.biz 	  	  	
    smtp 	     CNAME	  	mail.example.biz 	  	  	
    www 	     CNAME	  	example.biz
    <spf-test@openspf.net>: host mailout02.controlledmail.com[72.81.252.18] said:
    550 5.7.1 <spf-test@openspf.net>: Recipient address rejected: SPF Tests:
    Mail-From Result="fail": Mail From="name@example.biz" HELO
    name="mail.example.biz" HELO Result="fail" Remote IP="62.75.aaa.bb" (in
    reply to RCPT TO command)


    I've tried almost everything, but getting fail.

    Please help.
     
    Last edited: Mar 18, 2012
  2. falko

    falko Super Moderator ISPConfig Developer

    Is the DNS server where you created the SPF record authoritative for the domain?

    Also, it can take up to 72 hours for DNS changes to propagate.
     
  3. phinex

    phinex New Member

    Hi Falko, and thanks for your reply.
    More than 72 hours have passed since I inserted the records.
    (these records I inserted in the Power Panel of the VPS provider)
    Sorry, but I don't know how to whether its authoritative or not, this may help? :

    nslookup 62.75.aaa.bb
    Server: 192.168.2.1
    Address: 192.168.2.1#53

    Non-authoritative answer:
    bb.aaa.75.62.in-addr.arpa name = mail.example.biz.

    Authoritative answers can be found from:
    bb.aaa.75.62.in-addr.arpa nameserver = ptr2.intergenia.de.
    bb.aaa.75.62.in-addr.arpa nameserver = ptr1.intergenia.de.
    ptr1.intergenia.de internet address = 217.172.191.251
    ptr2.intergenia.de internet address = 62.75.134.6

    P.s:
    #I checked with AOL and the SPF test passes there!, though I don't
    know why I'm still getting fail when testing with spf-test@openspf.net
    #does that have anything to do with the IP number I'm getting from my ISP when sending from Evolution? though I'm using port 26
    to bypass there mail server...
     
    Last edited: Mar 19, 2012
  4. falko

    falko Super Moderator ISPConfig Developer

    Does
    Code:
    dig txt yourdomain.com
    show your SPF record?
     
  5. phinex

    phinex New Member

    Looks so:

    Code:
    phinex@ubuntu:~$ dig txt example.biz
    
    ; <<>> DiG 9.7.3 <<>> txt example.biz
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33386
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
    
    ;; QUESTION SECTION:
    ;example.biz.			IN	TXT
    
    ;; ANSWER SECTION:
    example.biz.		86400	IN	TXT	"v=spf1 ip4:62.75.aaa.bb -all"
    
    ;; AUTHORITY SECTION:
    example.biz.		86400	IN	NS	ns9.nameserverservice.de.
    example.biz.		86400	IN	NS	ns10.nameserverservice.de.
    
    ;; ADDITIONAL SECTION:
    ns9.nameserverservice.de. 57454	IN	A	85.25.128.54
    ns10.nameserverservice.de. 57454 IN	A	89.19.225.101
    
    ;; Query time: 503 msec
    ;; SERVER: 192.168.2.1#53(192.168.2.1)
    ;; WHEN: Tue Mar 20 16:49:09 2012
    ;; MSG SIZE  rcvd: 161
    And exactly the same results if :
    Code:
    phinex@ubuntu:~$ dig txt mail.example.biz
     
    Last edited: Mar 20, 2012
  6. falko

    falko Super Moderator ISPConfig Developer

    That looks ok. Can you change the SPF record to
    Code:
    v=spf1 [COLOR="Red"]+[/COLOR]ip4:62.75.aaa.bb -all
    and test again?
     
  7. erosbk

    erosbk New Member

  8. phinex

    phinex New Member

    ok, I'll give it a try, though by definition the '+' can be omitted.

    Could it be that I should include the ISP IP address in the record? because it presents in the header as " Send By"?
     
  9. phinex

    phinex New Member

    Thanks for the tip, my SPF also Passes with port25.com.
    So either spf-test@openspf.net has a bug which is highly unlikely, or it's
    that we are missing on something, for example " including the ISP IP address in the record" ... or ?
     
  10. erosbk

    erosbk New Member

    I think that there is no bug in "spf-test@openspf.net". If you send a mail from gmail, you will see that it is working. I think that we have to do a little more researh in this, falko I think could help us to see what is happening.

    As I see, you are exactly in the same point that I am xD
     
  11. gapa

    gapa New Member

  12. joemiller

    joemiller New Member

    That could be worth looking at. I had a case like that a while ago, where the isp had basically hijacked all emails so they came from their server. It caused spf authentication to fail.

    I sorted it by looking at the email client settings (I think you said this was evolution) and changing it so they go directly to the mail server. I'm not sure if this applies in your case.

    The problem with adding the isp ip address to your spf record is you're then authorising anyone with an email account on that server to send emails as you.

    hope this helps.
     

Share This Page