SOFTFAIL = faulty SPF or stubborn mailserver?

0
votes

I get softfail on most of the email send with phphmailer. I've updated the SPF many times and tied various altercations. IƤve read most related stackoverflow posts but none that hold my problem.

the spf that works best is:

"v=spf1 mx a a:mail.citynetwork.se ?all"

It still gives me a softfail and a X-Spam-Score of 1.4-1.9.

the server mail.citynetwork.se (91.123.193.200) is handling all incoming mail including smtp but when they send them they use mailout.citynetwork.se (91.123.193.63 and 91.123.193.90).

Is says either: Received-SPF: softfail (google.com: domain of transitioning [email protected] does not designate 2a00:16d8:0:12::10 as permitted sender) client-ip=2a00:16d8:0:12::10;

Received-SPF: permerror (google.com: permanent error in processing during lookup of [email protected]) client-ip=2a00:16d8:0:12::10;

or Received-SPF: softfail (google.com: domain of transitioning [email protected] does not designate 91.123.193.90 as permitted sender) client-ip=91.123.193.90;

the ip 91.123.193.90 (mailout.citynetwork.se) does not seem to hold any SPF records so if i add it it results in a permerror.

I magically got a pass once: Received-SPF: pass (google.com: domain of [email protected] designates 91.123.193.90 as permitted sender) client-ip=91.123.193.90;

but when i tried again it wen to softfail.

whith the SPF: "v=spf1 mx a include:mail.citynetwork.se -all" i've recived first permerror, then PASS, then neutral, neutral neutral....

Can anybody make sense of this? Are the SPF records not updated instantly on my server or how can i get different check with the same code, mail and SPF? Does "include:" and "a:" give the same result? Do i need a CIDR address? Should/Can i add the IPs instead of domains?

1
emailsmtpspf

1 Answers

1
votes

So there's a lot going on in your question, and we need to tease it apart a bit. First, remember that SPF is a DNS based policy, and so evaluation of the policy depends on the DNS of the receiving mail server. So because of DNS caching, policy changes may not take effect immediately, or even be consistently for different servers handling inbound email for a single domain. This may explain why you're seeing different results.

As a general rule, when working on debugging an SPF policy you should set a low TTL (300 or 600 seconds) and try to space out your changes. Some servers will treat any TTL under 1 hour as an hour, so your changes may not propagate as you expect if you make them too quickly.

Now, as to the other question of what policy you should use:

  1. Do not use 'include' unless you are including an SPF record that is defined on the domain you're including. There's no SPF record defined for mail.citynetwork.se, so you should not be using an include directive

  2. As a general rule, it's a better idea to use explicit IP addresses rather than a or mx directives when possible. For your case a rule like v=spf1 ip4:91.123.193.90 ip4:91.123.193.63 ip6:2a00:16d8:0:12::10 ~all should work. Note this assumes that the IP addresses are static, which may not be the case.

  3. If the IP addresses are not static, then you can use an a directive in your rule. For example, something like v=spf1 a:mailout.citynetwork.se ~all. That includes the two IPv4 addresses you reference, although the IPv6 address in the AAAA record isn't an exact match for the one in your question. That address may have changed between the time you asked your question and now, or it may not be the correct address. So this rule may not work out of the box.

So change the rule to the one I specify above in #2 or #3 with a low TTL, wait an hour or so, and then run your tests again.