Why does this SPF record fail?

0
votes

I manage two domains with similar spf txt dns records:

  • ffiles.com, when tested returns a pass spf result
  • apkfiles.com, when tested returns a fail result.

The SPF record contains data from a parent domain include:spf.tntcode.com But the above two domains seem configured the same, why does one fail ?

SPF record lookup and validation for: ffiles.com

SPF records are published in DNS as TXT records.

The TXT records found for your domain are: google-site-verification=5j4oHqhf_H5kXl_ciEX9OZISFoexrz9N_5c0I0Q1jw8 v=spf1 +a include:spf.tntcode.com +mx -all

Checking to see if there is a valid SPF record.

Found v=spf1 record for ffiles.com: v=spf1 +a include:spf.tntcode.com +mx -all

evaluating... SPF record passed validation test with pySPF (Python SPF library)!

...

SPF record lookup and validation for: apkfiles.com SPF records are published in DNS as TXT records. The TXT records found for your domain are: v=spf1 +a include:spf.tntcode.com +mx -all

Checking to see if there is a valid SPF record.

Found v=spf1 record for apkfiles.com: v=spf1 +a include:spf.tntcode.com +mx -all

evaluating... Results - record processed without error.

The result of the test (this should be the default result of your record) was, fail . The explanation returned was, SPF fail - not authorized Return to SPF checking tool (clears form) Use the back button on your browser to return to the SPF checking tool without clearing the form.

2
emaildnsserveremail-validationspf
Can you post the header of the email that failed? Or post the link that [email protected] returns? We need to see the sending IP to tell you why. - Henry
Which IP address did you use for the test? Because to me the records looks correct, but if you are testing both records with the same IP address, it may be that it only matches one of the records (either the a or mx mechanism) - Lars Lind Nilsson
I just filled first form that only had domain name, no sender email. (On this tool kitterman.com/spf/validate.html) And entering apkfiles.com says (among other things) SPF fail - not authorized - adrianTNT
It seems that there is an extra space at the end of apkfiles.com's SPF record. And perhaps this is why the validator at kitterman.com fails on one of the records, because besides the extra space the two records are identical. According to the specification for SPF extra spaces at the end is NOT an error. I have just tested both domains on another SPF tester(mxtoolbox.com/SuperTool.aspx) with success for both domains. - Lars Lind Nilsson
@LarsLindNilsson that was it, I removed that extra space at end and checked after hours (to avoid a cached record) that fixed it. If you want to add this as an answer I should then select it as the correct one. Thanks. - adrianTNT

2 Answers

1
votes

It seems that there is an extra space at the end of apkfiles.com's SPF record.

And perhaps this is why the validator at kitterman.com fails on one of the records, because besides the extra space the two records are identical.

According to the specification for SPF extra spaces at the end is NOT an error, but it may be that some implementations of SPF fails due to the extra space.

I have just tested both domains on another SPF tester (http://mxtoolbox.com/SuperTool.aspx) with success for both domains

0
votes

Are you sure you're testing it correctly? I gather you're using Scott Kitterman's SPF tester. Did you use the same From address for both? I get a pass for both using IPs/names I looked up for the domains with these configs:

ffiles.com:

enter image description here

apkfiles.com:

enter image description here

Both of those result in correctly retrieved SPF records and both checks pass.