SPF record is hard failing

1
votes

I'm trying to get an SPF record set up on our domain, but it just seems to be get confused.

The domain is letterpart.com and the mail server is mail.letterpart.com. We send all of our emails from an Exchange Server at mail.letterpart.com, either directly or via Perl scripts that forward to the Exchange server. This is our only server and deals with incoming and outgoing mails.

We originally had

v=spf1 mx a:mail.letterpart.com a:cmail1.com ~all

which includes our mail server and that of Campaign Monitor which we sometimes use to send out marketing emails.

This, though, was giving us a soft fail:

Recipient address rejected: SPF Tests: Mail-From Result="softfail": Mail From="*****@letterpart.com" HELO name="mail.letterpart.com" HELO Result="none" Remote IP="94.72.251.210">

I spoke to our ISP, KCOM, and they came back with this reply:

I have checked the existing SPF record and found a possible cause of your "softfail". The "all" mechanism was prefixed with a "~" which gives a soft fail. I have changed the records "all" section to "-all" which should produce a fail.

Now, when I send mail from Outlook, I get a hard fail:

[email protected] on 22/06/2012 09:47
  You do not have permission to send to this recipient.  For assistance, contact your system administrator.
  <mail.letterpart.com #5.7.1 smtp;550 5.7.1 <[email protected]>: Recipient address rejected: SPF Tests: Mail-From Result="fail": Mail From="*****@letterpart.com" HELO name="mail.letterpart.com" HELO Result="none" Remote IP="94.72.251.210">

I went back to our ISP and said that the change they made had indeed changed our soft fail into a hard fail, so can they now change it so we don't fail at all.

His reply was that this record is correct and that it shows that emails not coming from our domain will fail. I pointed out that the test I am sending was coming from our domain, and he just sent me a reference to SPF Record Syntax which is the same site I am testing the [email protected] email on.

Have I completely got the wrong end of the stick when it comes to these records? I thought the idea was not to fail at all when sending from our domain.

Now. Our MX record shows the following:

mail.letterpart.com   94.72.251.212

But the SPF test email is showing the IP address as 94.72.251.210, and when I look at a header of an email sent from letterpart.com, it does indeed show it as coming from .210:

for *****@digitalessence.net; Fri, 22 Jun 2012 11:03:06 +0100
Received: from [94.72.251.210] (helo=mail.letterpart.com)

94.72.251.210 is the Wan1 interface on our Firewall. Should I add an IP address to the SPF or a range?

2
dnsspf

2 Answers

0
votes

I was looking over your SPF records. It's listed as 

v=spf1 ip4:94.72.251.210 a:cmail1.com ~all

It should look something like:

v=spf1 mx a ip4:94.72.251.210 a:cmail1.com ~all

Which will mean all the MX and A records for the current domain are valid. I really don't understand why your have a PTR set up for 94.72.251.210 back to mail letterpart.com, when mail.letterpart.com points to 94.72.251.212.

0
votes

Yes, it sounds like you answered your own question - you should add 94.72.251.210 to your SPF record if that is where your emails are sent from (as far the outside world is concerned).

That's the easy way. The harder solution is to figure out why your mail server winds up sending from that IP address and correct the firewall rules so that mail emerges from your network on the IP address associated with the mail server's name. This seems more correct and might have other benefits - your mail headers look "forged" if they use a name that's different from the actual IP address they come from.