Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default SPF record: How does one fix this? #130

Open
lifeboy opened this issue Oct 30, 2023 · 2 comments
Open

Default SPF record: How does one fix this? #130

lifeboy opened this issue Oct 30, 2023 · 2 comments

Comments

@lifeboy
Copy link

lifeboy commented Oct 30, 2023
edited
Loading

I have run into this a couple of times and up to now thought the problem was at the recipients email server, but today this happened again. This is time it's from one PMaiB server to another.

I sent an email from giesler.za.net to abellardss.co.za and the headers from the recipient show this:

Authentication-Results: ⁨posboom.abellardss.co.za; dmarc=pass (p=quarantine dis=none) header.from=giesler.za.net⁩
Authentication-Results: ⁨posboom.abellardss.co.za; spf=fail smtp.mailfrom=giesler.za.net⁩
Authentication-Results: ⁨posboom.abellardss.co.za; dkim=pass (2048-bit key; unprotected) header.d=giesler.za.net [email protected] header.a=rsa-sha256 header.s=mail header.b=qPOSpYOO; dkim-atps=neutral⁩

However, testing the mail server box2.gtahardware.co.za (where giesler.za.net lives), gives no problem using mxtoolbox.com's email health checker:

image

So, checking the spf record:

$ dig giesler.za.net txt +short
"v=spf1 mx -all"

This means all hosts are rejected, except the mx record that is setup for this domain, right? For giesler.za.net, the mx record is:

$ dig giesler.za.net mx +short
10 box2.gtahardware.co.za.

So why does the spam checker used in PMiaB fail this spf test?

This is the default and I notice this note in the status pages of PMiaB:

Recommended. Prevents use of this domain name for outbound mail by specifying that no servers are valid sources for mail from @www.giesler.za.net. If you do send email from this domain name you should either override this record such that the SPF rule does allow the originating server, or, take the recommended approach and have the box handle mail for this domain (simply add any receiving alias at this domain name to make this machine treat the domain name as one of its mail domains).

Why would the default be to not allow mail sending? Surely it makes more sense to let the system construct a proper spf record for this mail domain on this server?

Would "v=spf1 a -all" be the correct record for this? If not, what should I make this?
@lifeboy
Copy link
Author

lifeboy commented Oct 30, 2023

I just did another test, after making the change indicated above. On the recipient mail server:

# dig giesler.za.net txt +short
"v=spf1 a -all"

Yet, the email received still has this in the header:

X-Spam-Report: 
	* -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
	* -0.1 DMARC_PASS DMARC check passed
	*  5.0 SPF_FAIL SPF check failed

@lifeboy
Copy link
Author

lifeboy commented Oct 30, 2023
edited
Loading

I just checked the logs on the recipient server:

Oct 30 13:41:36 AbellardSS-mail opendmarc[227]: 5F10322832: SPF(mailfrom): giesler.za.net fail

So it's opendmarc that's failing the spf lookup, not spamassasin, or is it?

@lifeboy lifeboy changed the title Default SPF record: How does on fix this? Default SPF record: How does one fix this? Oct 31, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@lifeboy