Mail rejected because of SPF lookup - can a MX record be a CNAME?
Solution 1
SERVFAIL
is not the same as NXDOMAIN
. The error message means that they were unable to even contact a name server at all when looking up the SPF records.
It could be their name server or yours that was unable to respond.
If this is your mail server, you should find out what the SPF lookup was and why it failed.
Solution 2
For simplicity you could use the below set up. Also I thoroughly recommend you set an SPF record for both domains. SPF aren't fool proof by any stretch of the imagination, but many people force the requirement of them, so it's worth setting up since it's just a DNS entry;
ourdomain.com IN MX 5 mail.ourdomain.com
clientdomain.com IN MX 5 mail.ourdomain.com
mail.ourdomain.com IN A 1.2.3.4
ourdomain.com IN TXT v=spf1 a:mail.ourdomain.com ~all
clientdomain.com IN TXT v=spf1 a:mail.ourdomain.com ~all
Related videos on Youtube
Mike B
Updated on September 18, 2022Comments
-
Mike B almost 2 years
We're serving mail for a group of customers, and (only) one of them is seeing (some of) their mails rejected.
The situation is:
- Our server: ourdomain.com -> Gets forward and reverse DNS lookup correctly resolved
- Served domain: clientdomain.com
Dig over clientdomain.com:
clientdomain.com. 2742 IN MX 5 mail.clientdomain.com. mail.clientdomain.com. 2742 IN A ip.of.ourdomain.com
Error to mail clients:
Recipient address rejected: SPF-Result=ourdomain.com: 'SERVFAIL' error on DNS 'SPF' lookup of 'ourdomain.com' (in reply to RCPT TO command)
My main question is...
Would it be better something like
clientdomain.com. 2742 IN MX 5 mail.clientdomain.com mail.clientdomain.com. 2742 IN CNAME ourserver.com
?
Secondary question... if above answer is NO, what can I do? add an SPF record in favour of ourserver.com? Why aren't other clients noticing this?
Thanks for reading
-
Ladadadada over 11 yearsThe second DNS example in your question doesn't make any sense. None of the domains in the records match any of the domains in the first section. MX records that point at a CNAME are not supported.
-
Mike B over 11 yearsYou're right. I did something wrong with copying my example from notepad. I edited for clarity.
-
James Sneeringer over 11 yearsRFC2181 section 10.3 explicitly states that MX records must not point to CNAMEs.
-
jwbensley over 11 years@JamesSneeringer Interesting, I have seen them in use, working, but I have updated the answer to reflect this new information. Thanks!
-
Skaperen over 11 yearsI've seen lots of DNS violations, such as CNAMEs going through 4 references (so the middle ones are most certainly not canonical), and they work in most cases. But they are still wrong and in cases where they are found to fail, its the usage that is wrong.
-
Mike B over 11 yearsThere was no SPF record so couldn't resolve. Thanks.
-
Mike B about 11 yearsAlthough answers here helped and improved situation, after some weeks I finally found the root problem and you were fully right. Problem was ourdomain.com was so slightly misspelled in postfix configuration files that I didn't see it at first time (nor second or third).