SPF record when sending mails from two different IPs
Solution 1
At first, correct SPF record for your domain somedomain.com
is...
somedomain.com. IN TXT "v=spf1 mx ip4:2.2.2.2 -all"
which means you will send mails only from your mail server (defined in MX record) mail.somedomain.com
or a host with ip address 2.2.2.2
.
And these mails should have somedomain.com
in their "HELO" or "MAIL FROM" identity during mail transactions.
Marco, would you show the mail header that returned as authorization failed?
Solution 2
You say some mails sent from 2.2.2.2 fail SPF validation, correct? Do you have multiple internet lines at the location of your 2.2.2.2
server? It's possible that outgoing mail traffic might be routed over another internet line, and therefore, out another IP address.
Also, your SPF record is needlessly complicated. All that would be necessary would be v=spf1 mx ip4:2.2.2.2 -all
. Only one instance of each IP which originates mail from your domain needs to be listed.
Solution 3
Marco, FWIW - I now find http://www.unlocktheinbox.com/spfwizard/ to be a great SPF wizard (just for future knowledge) and an overall great resource for all things DNS/Email related.
They also have a great testing tool for DNS records. Anytime I make a change I always send a test email to [email protected] to verify the records. It's saved me more time than I care to admit.
I seen an earlier comment suggesting that only "some" of the emails are being blocked, is that accurate the way you stated it, or are they ALL blocked? What have you tried as a result of the comments?
Related videos on Youtube
![Marco Demaio](https://i.stack.imgur.com/8qnvs.jpg?s=256&g=1)
Marco Demaio
Updated on September 18, 2022Comments
-
Marco Demaio almost 2 years
I have somedomain.com on IP 1.1.1.1
I send/receive mail using Outlook connecting to mail.somedomain.com
So my DNS records for somedomain.com are the typical:
www.somedomain.com >>> A >>> 1.1.1.1 somedomain.com >>> A >>> 1.1.1.1 somedomain.com >>> MX >>> mail.somedomain.com mail.somedomain.com >>> A >>> 1.1.1.1
But I also send some mails (using directly PHP mail function) from another server that is on anotherdomain.com and IP 2.2.2.2
I tried to setup SPF record using Microsoft wizard (the old days Open SPF wizard does NOT work anymore)
The SPF created by the wizard is this:
v=spf1 a mx ip4:1.1.1.1 mx:mail.somedomain.com ip4:2.2.2.2 -all
But I get some mails returning back when sent from 2.2.2.2 with the message:
SPF Failed - not authorized message
Do you know what the right SPF value is for this scenario?
EDIT 1: as asked by Minsuk Song I post the SPF failed message
This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: [email protected] SMTP error from remote mail server after MAIL FROM:<[email protected]> SIZE=120379: host imp-3.mail.tiscali.it [213.205.33.247]: 550 5.1.0 <[email protected]> SPF Failed - not authorized ------ This is a copy of the message, including all the headers. ------ ------ The body of the message is 116808 characters long; only the first ------ 106496 or so are included here. Return-path: <[email protected]> Received: from mild by server081.mildfred.com with local (Exim 4.77) (envelope-from <[email protected]>) id 1SRRp1-001a8D-8Z; Mon, 07 May 2012 13:34:07 -0400 To: <[email protected]> Subject: ...
EDIT 2: as correctly noticed by nickgrim when I send mail from IP 2.2.2.2 I send them using an address that is on the somedomain.com (which is on IP 1.1.1.1). The reason I do this is that in case the mail gets rejected for any reason (as it happened) I get notified on an existing address
<[email protected]>
.-
ravi yarlagadda about 12 yearsHow long has it been since you set the record to this value?
-
Marco Demaio about 12 yearsThe SPF (in TXT record) was set more than one week ago. The other DNS records have been there for more than 6 months now.
-
nickgrim about 12 yearsAs an aside, your above example makes me suspect that you're not using
mx:mail.somedomain.com
correctly. Themx:···
construction looks up the MX records for the specified domain, and yourmail.somedomain.com
domain doesn't have any MX-records. You probably meanmx:somedomain.com
- which will look up the A-records for the MX-records forsomedomain.com
(and ultimately end up whitelisting1.1.1.1
) -
nickgrim about 12 yearsYou don't say it explicitly, so: should we assume that these mails being sent from the
anotherdomain.com
server have an email-address in theFrom
header that's in thesomedomain.com
domain? -
Marco Demaio about 12 years@nickgrim: YES +1, You are absolutely right when you say: "mails being sent from the anotherdomain.com server have an email-address in the From header that's in the somedomain.com domain". So I suppose you know now how to fix the SPF hell.
-
Marco Demaio about 12 years@nickgrim: I posted the mail header in the question. Any clue?
-
Philip about 12 yearsThe old days SPF Record Generator doesn't work because too many clueless users weren't taking the time to understand how SPF records work and feeding the generator garbage. Garbage In, Garbage Out; and the whole system is worthless... Really, it's not that hard to take an evening and read the spec.
-
Marco Demaio about 12 yearsI posted the mail header in the question. Any clue?!
-
Marco Demaio about 12 yearsGreat tool thanks, much better than the Microsoft one