Getting an SPF softfail - IP6?

Discussion in 'Installation/Configuration' started by James A, Mar 29, 2014.

  1. James A

    James A Member HowtoForge Supporter


    I am checking my SPF status at [email protected] and I get a softfail.

    from the header info it listed at the bottom of the reply it looks as though it is receiving my IP6 address not my IP4 and I presume using this with my txt record.

    Header info
    Return-Path: <[email protected]>
    Received: from (2001:888:888:888::66:5100) by id h6skbm11u9cp for <[email protected]>; Sat, 29 Mar 2014 16:10:35 -0400 (envelope-from <[email protected]>)
    Authentication-Results:; spf=softfail (SPF-Result: SoftFail)

    txt record
    v=spf1 a mx ~all

    I am also currently having fun with gmail blocking and had read that gmail were doing this to IP6 connections.

    My question is if this is to do with using IP6 how can I get my system to only use IP4 and is that a good solution or should I be doing something else.

    The server is running Debian Wheezy, Courier, ISPconfig, Postfix.
  2. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    You only allow all mx-servers in your domain to send mail. Make sure that you have an A and an AAAA-Record for your mx-servers in the dns-zone.

    Regarding google - and without any error-message - you have a ptr-record defined?

    You can configure postfix to use ipv4 only and you can also define postfix to use ipv4 to send to some domains. But i think you fix your setup to use ipv4 and ipv6.
  3. James A

    James A Member HowtoForge Supporter

    Thanks Florian

    I added the AAAA record for each account and all looks good.

    On the gmail front I did check everything on Friday afternoon and noticed the ptr wasn't resolving correctly so changed that then. I have also configured the ptr for IP6 now as well and gmail looks to be working ok again, at least no bounce back to my test just now. Either google has responded to my reported mail issue in double quick time or correcting the IP6 and ptr records has done the trick.

    Hope this helps someone else.
  4. James A

    James A Member HowtoForge Supporter

    Spoke too soon, still getting some bounce back from google. Looking at the tests everything is now passing with the exception of DomainKeys check which looks to be an earlier version of DKIM, is this necessay in which case is there a guide:

    Summary of Results
    SPF check: pass
    DomainKeys check: neutral
    DKIM check: pass
    Sender-ID check: pass
    SpamAssassin check: ham

    Funny thing is when they do allow messages in from some of the accounts they may let the first then block the next etc, or one replying to a gmail email.

    The header on the received mail also looks ok:

    Delivered-To: [email protected]
    Received: by with SMTP id t6cspxxxxxxqdk;
    Mon, 31 Mar 2014 06:26:58 -0700 (PDT)
    X-Received: by with SMTP id n4mr123xxxxxwib.4.1396272418241;
    Mon, 31 Mar 2014 06:26:58 -0700 (PDT)
    Return-Path: <[email protected]>
    Received: from ( [2001:xxx:86d:xxx::6d:8888])
    by with ESMTP id y6si220000eep.257.1111.
    for <[email protected]>;
    Mon, 31 Mar 2014 06:26:58 -0700 (PDT)
    Received-SPF: pass ( domain of [email protected] designates 2001:xxx:86d:xxx::6d:8888 as permitted sender) client-ip=2001:xxx:86d:xxx::6d:8888;
    spf=pass ( domain of [email protected] designates 2001:xxx:86d:xxx::6d:8888 as permitted sender) [email protected];
    dkim=pass [email protected]
    Received: from localhost (localhost.localdomain [])
    by (Postfix) with ESMTP id 5DF5F33B
    for <[email protected]>; Mon, 31 Mar 2014 14:26:57 +0100 (BST)
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;

    Any thoughts are appreciated.
  5. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    "DomainKeys check: neutral" means, that the mail was signed but may contain syntax-errors. How to you sign your mails with DKIM and is your public-key in your DNS?
  6. James A

    James A Member HowtoForge Supporter

    Hi Florian

    I use amavis-new to create the key:

    amavisd-new genrsa /var/db/dkim/$DomainName.key.pem

    I then include a reference to the key in /etc/amavis/conf.d/50-user along with the other configuration lines required:

    #DKiM Check Configuration
    $enable_dkim_verification = 1;
    $enable_dkim_signing = 1;
    @dkim_signature_options_bysender_maps = (
    { '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );
    @mynetworks = qw(; # list your internal networks

    $interface_policy{'10024'} = 'DKIM_ALWAYS';
    $policy_bank{'DKIM_ALWAYS'} = { originating => 1, };

    dkim_key('', 'mail', '/var/db/dkim/');

    I then use amavisd-new showkeys to get the key text for the DNS record which I then enter as a txt record into ISPConfigs DNS record for the domain. This has a name like followed by a text key similar to:


    Finally I test the key using amavisd-new testkeys and if it passes restart amavis:

    /etc/init.d/amavis restart

    That's it, am I missing something or have I got an error. I assumed it was all working correctly because amavisd-new testkeys gives a pass and because the report said:

    DKIM check: pass

    If you can point me in the right direction that would be greatly appreciated.
  7. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    You create a dkim-key for and a dns-record for

    I prefer to send some test-mails to different services as described here to get additional informations.
  8. James A

    James A Member HowtoForge Supporter

    Got to say still somewhat confused by the DomainKeys check: neutral. Having tested with the other services described they all say things like:

    Message does not contain a DomainKeys Signature

    But they then all go on to say the message contains a DKIM Signature which they pass.

    Looking up further about DomainKeys, these all appear to use a


    format so I assume the issue is the encoding where I currently use

    v=DKIM1; p=KGFfM.............

    Presumably if I wanted to get DomainKeys to work as well as DKIM then I would need to use another encrypted rsa key and create a separate text record for this.

    Apologies if this is me being stupid but it has just got me very confused. I guess if someone who reads this has passed both can you let me know what you did.
  9. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    Ig you run amavisd-new showkeys as described above you get the correct TXT-record for your dns.

    I recommend to use to check your dkim signature. You get a detailed list what is wrong.
  10. James A

    James A Member HowtoForge Supporter

    Thanks Florian, unlocktheinbox confirms everything is fine with my DKIM check and public DKIM KEY so everything looks ok.

    DKIM Check
    Signature Found:Yes
    SM Sig Verification:passed
    LL Sig Verification:passed
    From Signed:Yes
    Restricted Headers Signed:No

    I have even added a DMARC check which is all passed

    Record Syntax:passed
    DKIM Test:passed
    SPF Test:passed
    ADKIM Test:passed
    ASPF Test:passed
    RUA Test:passed
    RUF Test:passed
    DMARC Passed:Yes
    DMARC Record Location:Click Here:

    But it still says signiture not found under Domain Keys Check so I have to assume this is a different test, and I can therefore ignore this result.

    Domain Keys Check (Obsolete)
    Signature Found:No -

    Public Domain Key (Obsolete)
    Selector Location:Not Found -

    Once again thanks for all your help. James

Share This Page