Koozali.org: home of the SME Server

SPF records

Offline ReetP

  • *
  • 3,722
  • +5/-0
SPF records
« on: October 05, 2018, 03:12:45 PM »
Hmmmm, had a bit of bovver with my SPF records allegedly not being right. In a discussion with the hosting provider over this and wanted to check my facts.....

[root@test ~]# dig -t txt impamark.co.uk

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6 <<>> -t txt impamark.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39272
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;impamark.co.uk.         IN   TXT

;; ANSWER SECTION:
impamark.co.uk.      2709   IN   TXT   "v=spf1 mx a -all"

;; Query time: 0 msec
;; SERVER: 192.168.97.1#53(192.168.97.1)
;; WHEN: Fri Oct  5 15:03:12 2018
;; MSG SIZE  rcvd: 61


As far as I am aware that is correct?

When I test with mxtoolbox.com It all seems OK apart from one bit

Prefix Type    Value    PrefixDesc    Description
v     version    spf1       The SPF record version
+     mx       Pass       Match if IP is one of the MX hosts for given domain name
+     a       Pass       Match if IP has a DNS 'A' record in given domain
-     all       Fail       Always matches. It goes at the end of your record.

Any ideas why it shows Fail on -all ? Is that just due tio the way it 'processes' the rules, so anything after -all that hasn't matched is classed as a Fail?

All the tests below it show green ticks.

SPF Contains characters after ALL    No items after 'ALL'.
SPF Syntax Check             The record is valid

Any thoughts appreciated. I'm pretty sure my hosting provider has suffered a network block due to some spammer on my IP range but just wanted to be sure of my facts first.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: SPF records
« Reply #1 on: October 06, 2018, 04:39:15 PM »
The "-all" indicates that email from any other host not previously specified gets an SPF 'Fail' result.  In your case - if the system trying to deliver any email from "impamark.co.uk" is not in your MX or A records, the SPF result is "Fail".

I see no problems with  your SPF, PTR, or MX settings -- as long as
* your system is sending your email directly and is not relaying it through a smarthost somewhere
* you don't have any web systems running off-site trying to send email directly using your domain


Testing impamark.co.uk at https://www.kitterman.com/spf/validate.html shows that it should be OK.

mxtoolbox says your MX record is OK:
https://mxtoolbox.com/SuperTool.aspx?action=blacklist%3a212.83.143.44&run=toolpage

Same for your A record:
https://mxtoolbox.com/SuperTool.aspx?action=blacklist%3a212.83.143.44&run=toolpage#

Your PTR record looks OK:
Code: [Select]
nslookup -type=ptr 44.143.83.212.in-addr.arpa
Server: 192.168.1.1
Address: 192.168.1.1#53

Non-authoritative answer:
44.143.83.212.in-addr.arpa name = mail.impamark.co.uk.

The A record for mail.impamark.co.uk looks OK:
Code: [Select]
nslookup mail.impamark.co.uk
Server: 192.168.1.1
Address: 192.168.1.1#53

Non-authoritative answer:
Name: mail.impamark.co.uk
Address: 212.83.143.44

'firehol' lists one of the IPs on your classC in one of their blocklists:
https://github.com/firehol/blocklist-ipsets/search?q=%22212.83.143%22&unscoped_q=%22212.83.143%22

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: SPF records
« Reply #2 on: October 06, 2018, 04:52:49 PM »
Thanks for all that.

I realise I could specify the IP in the TXT record as well I guess - eg add 'ip:212.83.143.44' to the TXT record

I thought it seemed OK but the bloody hosting provider seems to get some of its network blocks blacklisted sometimes.

Just wanted to make sure it wasn't me making a cockup !

I can go back and tell them to sharpen up their act ;-)

Thanks
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Knuddi

  • *
  • 540
  • +0/-0
    • http://www.scanmailx.com
Re: SPF records
« Reply #3 on: October 08, 2018, 09:19:19 PM »
Just make sure you use ip4: and not just ip:

If you are running behind a static IP address I would recommend to specify that rather than "a" or "mx".

"v=spf1 ip4:212.83.143.44 -all"


Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: SPF records
« Reply #4 on: October 08, 2018, 09:20:56 PM »
Perfect !!
Thanks for the tips.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Knuddi

  • *
  • 540
  • +0/-0
    • http://www.scanmailx.com
Re: SPF records
« Reply #5 on: October 08, 2018, 10:47:52 PM »
And when you are done use https://www.mail-tester.com/ to see whether you did everything right. If you have SPF and DKIM right you ought to get 10/10 score :-)

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: SPF records
« Reply #6 on: October 08, 2018, 11:01:29 PM »
Great tip.

Will do :-)

Thanks
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline david000

  • ****
  • 192
  • +0/-0
Re: SPF records
« Reply #7 on: January 03, 2019, 03:59:09 PM »
I think this relates to the issue I'm trying to solve here:

https://forums.contribs.org/index.php/topic,53848.0.html

I'm seeing increasing numbers of undelivered email with
Code: [Select]
<xxxx.xxxxx@telford.gov.uk>:
Connected to 212.159.9.107 but sender was rejected.
Remote host said: 550 <info@mediacopy.co.uk.co.uk> sender rejected - invalid domain (no MX or A record)

plus I clients and contacts are telling me email is going straight to their spam folder.

I don't know much about SPF records, but I assume I'm trying to align my outgoing ISPs mail server with my hosted domain ?

Presumably my dynamic IP through which SME connects to the ISPs mail server is not an issue.

Unless there is a better solution than connecting to the ISPs mail server ?

Offline jameswilson

  • ****
  • 739
  • +0/-0
    • Security Warehouse, trade security equipment
Re: SPF records
« Reply #8 on: February 11, 2019, 10:46:05 PM »
Im having a similar issue. Ive used the above link but cant get anything above 8 / 10
static ip
I dont know about dkim etc but have added it via cname
Any guidance from you gurus would be appreciated.
James

Offline Knuddi

  • *
  • 540
  • +0/-0
    • http://www.scanmailx.com
Re: SPF records
« Reply #9 on: February 11, 2019, 10:49:36 PM »
If you share a mail-tester link, then we can see where the problem lies.

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: SPF records
« Reply #10 on: February 12, 2019, 11:48:11 AM »
Im having a similar issue. Ive used the above link but cant get anything above 8 / 10
static ip
I dont know about dkim etc but have added it via cname
Any guidance from you gurus would be appreciated.
James

One thing - I don't think you should use CNAME records for mail servers - you should have an A record for the server and then a MX record for it.

Then you can set up your DKIM with a TXT record.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline jameswilson

  • ****
  • 739
  • +0/-0
    • Security Warehouse, trade security equipment
Re: SPF records
« Reply #11 on: February 12, 2019, 06:10:13 PM »
If you share a mail-tester link, then we can see where the problem lies.
I have attached this

Offline Knuddi

  • *
  • 540
  • +0/-0
    • http://www.scanmailx.com
Re: SPF records
« Reply #12 on: February 12, 2019, 07:10:57 PM »
Well, then it is clear that you do not send with DKIM enabled.  Have you created and published the DKIM keys (in DNS)?

https://wiki.contribs.org/Email#DKIM_Setup_-_qpsmtpd_version_.3E.3D_0.96

P.S
I have not tried this way of doing DKIM, but I am sure someone else here has and can guide if needed.

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: SPF records
« Reply #13 on: February 12, 2019, 07:31:14 PM »
Yup.... done it both single and multiple domains.

Easy. Certainly easier than it was originally !!

Note what I said above about the use of CNAMEs. Tread with care.

https://serverfault.com/questions/91712/dns-using-cnames-breaks-mx-records

https://serverfault.com/questions/18000/dns-subdomains-that-require-both-an-mx-record-and-a-cname
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline jameswilson

  • ****
  • 739
  • +0/-0
    • Security Warehouse, trade security equipment
Re: SPF records
« Reply #14 on: February 14, 2019, 08:44:30 PM »
Well, then it is clear that you do not send with DKIM enabled.  Have you created and published the DKIM keys (in DNS)?

https://wiki.contribs.org/Email#DKIM_Setup_-_qpsmtpd_version_.3E.3D_0.96

P.S
I have not tried this way of doing DKIM, but I am sure someone else here has and can guide if needed.
I must have got something wrong its now lower

Quote
DomainKeys Identified Mail (DKIM) is a method for associating a domain name to an email message, thereby allowing a person, role, or organization to claim some responsibility for the message.
The DKIM signature of your message is:
   v=1;
   a=rsa-sha256;
   c=relaxed;
   d=thesecurityinstaller.co.uk;
   h=to:from:subject:message-id:date:mime-version:content-type:content-transfer-encoding;
   s=default;
   bh=W8LYD7UjVZovSJJz/TT+VYVFpOsJOHza8Uw8Pvf9Wd8=;
   b=r+0Glm9IzdR8HBRx/0dz3SNl4EBdEYL2dyA+2eWQ5oYBbl5RV74s/gLGOBhTPifU1mBNlCW3r80KJQGs5Ul26niJAlXs5UyCESL02vmpIh1+eYxprWlVMlRboUbeCxt5ffagrOqYnbMbK76t/ME/6/R1rP1mNCzstXfAE6UQ1fIOwWiXk26rUFDfgCsdrwMUsHGoqx3QFWxsH5XqTpHtxh72MqxxxxxxxxxxxQ==
We were not able to retrieve your public key.
Please ensure that you inserted your DKIM TXT DNS record on your domain thesecurityinstaller.co.uk using the selector default.
If you recently modified your DNS, please be patient and test again your Newsletter in 12 hours, it may take some time for the DNS to be propagated