Why is my SPF Record not working?
Solution 1
You might want to suspect the MTA involved.
As far as I can tell, your SPF record is set up correctly. I sent a message to one of my addresses (Gmail) using a sender address from your domain ([email protected]). Gmail does evaluate SPF, but always delivers the message regardless. Here are the headers I got:
Received-SPF: fail (google.com: domain of [email protected] does not designate XXX.XXX.XXX.XXX as permitted sender) client-ip=XXX.XXX.XXX.XXX;
Authentication-Results: mx.google.com; spf=hardfail (google.com: domain of [email protected] does not designate XXX.XXX.XXX.XXX as permitted sender) [email protected]
My guess is that the servers for yahoo.co.jp aren't evaluating SPF correctly, but I don't have any email address with them, so I can't test it to make sure. Aside from that, you might be running into other MTA's that simply don't respect SPF hardfail, resulting in messages still getting delivered.
Solution 2
Your SPF record is set to hard fail (using -all). However, you include '_spf.google.com' which is set to neutral fail (done by including ?all).
# host -t txt _spf.google.com
_spf.google.com descriptive text "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ?all"
Solution 3
I believe I may see your problem. I assume by your spf record that this is a google domain and you are using them to send mail. Change your spf record from "-all" to "~all" - as I know that this can cause some issues. See here: http://www.google.com/support/a/bin/answer.py?answer=178723
And by the way Received-SPF: neutral means that server is neither permitted nor denied.
Related videos on Youtube
07 : 41
03 : 21
06 : 59
06 : 37
02 : 55
M.O.
Updated on September 17, 2022Comments
-
M.O. almost 2 years
A spammer is using my domain to send spam, and I'm receiving a large amount of bounced email.
I have an SPF record on the domain, however it doesn't appear to be having any effect. Receiving MTA's seem to be claiming my domain is neutral about all sending ips.
My SPF Record is:
v=spf1 include:_spf.google.com -all(The domain is foomatic.net)
And as an example, one bounced email contained the following SPF message
Received-SPF: neutral (foomatic.net: domain of [email protected] is neutral about designating 86.105.67.98 as permitted sender)Can anyone shed some light as to why this SPF record isn't working correctly?
(The full email header is below)
Return-Path: <[email protected]> X-YahooFilteredBulk: 86.105.67.98 X-Originating-IP: [86.105.67.98] Received-SPF: neutral (foomatic.net: domain of [email protected] is neutral about designating 86.105.67.98 as permitted sender) Authentication-Results: mta524.mail.kks.yahoo.co.jp from=foomatic.net; domainkeys=neutral (no sig) Received: from 86.105.67.98 (HELO foomatic.net) (86.105.67.98) by mta524.mail.kks.yahoo.co.jp with SMTP; Fri, 24 Sep 2010 05:07:52 +0900 Received: from unknown (180.137.66.216) by mtu23.bigping.com with NNFMP; Thu, 23 Sep 2010 22:51:22 +0200 Received: from rly04.hottestmile.com ([Thu, 23 Sep 2010 22:43:07 +0200]) by qrx.quickslick.com with LOCAL; Thu, 23 Sep 2010 22:43:07 +0200 Received: from [173.232.106.195] by public.micromail.com.au with QMQP; Thu, 23 Sep 2010 22:34:49 +0200 Message-ID: <[email protected]> Date: Thu, 23 Sep 2010 22:22:19 +0200 From: "Ella" <[email protected]> MIME-Version: 1.0 To: <[email protected]> Subject: ready 4 u Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit -
Nic almost 14 yearsI don't think that's it. Using -all should be stricter than ~all, and the problem is that MTA's aren't being strict enough.
-
M.O. almost 14 yearsI originally had ~all, and changed it to -all a few days ago, which didn't seem to make much difference.
-
Nic almost 14 years+1 because I didn't realize that include records could override the -all setting.
