Mail rejected because of SPF lookup - can a MX record be a CNAME?

email-server spf

12,305

Solution 1

SERVFAIL is not the same as NXDOMAIN. The error message means that they were unable to even contact a name server at all when looking up the SPF records.

It could be their name server or yours that was unable to respond.

If this is your mail server, you should find out what the SPF lookup was and why it failed.

Solution 2

For simplicity you could use the below set up. Also I thoroughly recommend you set an SPF record for both domains. SPF aren't fool proof by any stretch of the imagination, but many people force the requirement of them, so it's worth setting up since it's just a DNS entry;

ourdomain.com         IN   MX  5  mail.ourdomain.com
clientdomain.com      IN   MX  5  mail.ourdomain.com
mail.ourdomain.com    IN   A      1.2.3.4

ourdomain.com         IN   TXT    v=spf1 a:mail.ourdomain.com ~all
clientdomain.com      IN   TXT    v=spf1 a:mail.ourdomain.com ~all

12,305

Mike B

Updated on September 18, 2022

Comments

Mike B almost 2 years
We're serving mail for a group of customers, and (only) one of them is seeing (some of) their mails rejected.

The situation is:
- Our server: ourdomain.com -> Gets forward and reverse DNS lookup correctly resolved
- Served domain: clientdomain.com
Dig over clientdomain.com:
```
clientdomain.com.       2742    IN      MX      5 mail.clientdomain.com.
mail.clientdomain.com.  2742    IN      A       ip.of.ourdomain.com
```
Error to mail clients:
```
Recipient address rejected:
SPF-Result=ourdomain.com: 'SERVFAIL' error on DNS 'SPF' lookup of 'ourdomain.com' (in reply to RCPT TO command)
```
My main question is...

Would it be better something like
```
clientdomain.com.         2742    IN      MX      5 mail.clientdomain.com
mail.clientdomain.com.    2742    IN      CNAME   ourserver.com
```
?

Secondary question... if above answer is NO, what can I do? add an SPF record in favour of ourserver.com? Why aren't other clients noticing this?

Thanks for reading
- Ladadadada over 11 years
  
  The second DNS example in your question doesn't make any sense. None of the domains in the records match any of the domains in the first section. MX records that point at a CNAME are not supported.
- Mike B over 11 years
  
  You're right. I did something wrong with copying my example from notepad. I edited for clarity.
James Sneeringer over 11 years

RFC2181 section 10.3 explicitly states that MX records must not point to CNAMEs.
jwbensley over 11 years

@JamesSneeringer Interesting, I have seen them in use, working, but I have updated the answer to reflect this new information. Thanks!
Skaperen over 11 years

I've seen lots of DNS violations, such as CNAMEs going through 4 references (so the middle ones are most certainly not canonical), and they work in most cases. But they are still wrong and in cases where they are found to fail, its the usage that is wrong.
Mike B over 11 years

There was no SPF record so couldn't resolve. Thanks.
Mike B about 11 years

Although answers here helped and improved situation, after some weeks I finally found the root problem and you were fully right. Problem was ourdomain.com was so slightly misspelled in postfix configuration files that I didn't see it at first time (nor second or third).