r00t pAsSw0rd

Active Member
Sep 14, 2006
32
0
156
Checked the SPF using the tool at:

http://senderid.espcoalition.org/

It reports a softfail with the current SPF. It needs to pass.

Report:

MAIL FROM: [email protected]
PRA: [email protected]
SPF-Record-Classic: v=spf1 a mx ~all
SPF-Record-MFROM Scope: v=spf1 a mx ~all
SPF-Record-PRA Scope: v=spf1 a mx ~all

SPF-Method Result: softfail(domain.: domain of
transitioning domain..org does not designate xxx.xxx.65.54 as permitted sender)

SenderID-MFROM-Method Result: softfail(domain..org: domain of
transitioning domain..org does not designate xxx.xxx.65.54 as permitted sender)

Why am I getting that error?

Domain uses xxx.xxx.120.4 IP (static).

server IP is xxx.xxx.65.54

dnsreport shows

You have an SPF record. This is very good, as it will help prevent spammers from abusing your domain. Your SPF record (I don't check to see if it is well designed!) is:
"v=spf1 a mx a:mittens.dynalias.org" [TTL=14400]

I added this in the domain's named record

domain..org. IN TXT "v=spf1 a mx a:mittens.dynalias.org"

Is this correct?
 

RickG

Well-Known Member
Feb 28, 2005
238
2
168
North Carolina
domain.org. IN TXT "v=spf1 a mx ip4:xxx.xxx.65.54 -all"

If you really want to support the SPF concept (and not just "say" you have an SPF record), you should use -all (vs ~all) in your SPF record. If the receiving mail server is doing any type of SPF check, -all indicates that unless the mail originates from the source(s) specified in the SPF record, it is not legitimate mail from your domain. What happens to that mail on the receiving end based on those results is determined by the admin, the same way you can make similar decisions when mail arrives into your server.

Using ~all produces a neutral response which IMHO is of little use if you are serious about cutting down on spam.
 

d33pa

Registered
Feb 11, 2005
2
0
151
domain.org. IN TXT "v=spf1 a mx ip4:xxx.xxx.65.54 -all"

If you really want to support the SPF concept (and not just "say" you have an SPF record), you should use -all (vs ~all) in your SPF record. If the receiving mail server is doing any type of SPF check, -all indicates that unless the mail originates from the source(s) specified in the SPF record, it is not legitimate mail from your domain. What happens to that mail on the receiving end based on those results is determined by the admin, the same way you can make similar decisions when mail arrives into your server.

Using ~all produces a neutral response which IMHO is of little use if you are serious about cutting down on spam.
please correct me if im wrong. ~all will give you a fail and ?all will give you a neutral response. The -all may work, but have never seen it in that context.
 

sierrablue

Member
Aug 30, 2005
19
0
151
cPanel Access Level
Root Administrator
please correct me if im wrong. ~all will give you a fail and ?all will give you a neutral response. The -all may work, but have never seen it in that context.
~all gives softfail, -all gives fail.

Hotmail for example, will forward your mail to recipient junk folder if you have softfail terminator (~all), even if your mail passes the SPF check.
 

freedog96150

Well-Known Member
Mar 25, 2005
68
0
156
Nevada, USA
I found that by including the "include:ISP.NAME" directive in the SPF record that many of my problems disappeared with respect to the soft fails. For me that exact line is "include:verizon.net", but then I use my ISP's SMTP server for all outgoing mail and not my domain's SMTP server. You mileage may vary.
 

SageBrian

Well-Known Member
Jun 1, 2002
416
2
318
NY/CT (US)
cPanel Access Level
Root Administrator
~all gives softfail, -all gives fail.

Hotmail for example, will forward your mail to recipient junk folder if you have softfail terminator (~all), even if your mail passes the SPF check.
To me, this is the weakness in the SPF feature.
It's great if you are mailing from one place all the time.
But what of the road warriors?

To say that email from domain.com is valid 'only' from domain.com or ISP.net will cause issues when sending from any other location.

I know a few servers that tried to filter based on SPF fail, and then realized how much legitimate mail was getting blocked.

-all is only good if you are sure you will never, ever send mail from another ISP provider. Remember that some ISPs block port 25.

SPF is a good scoring tool. If it passes, good. If it soft-fails, more should be done to determine if it's spam.
 

Sam Hobbs

Member
Aug 20, 2004
6
0
151
California
please correct me if im wrong. ~all will give you a fail and ?all will give you a neutral response. The -all may work, but have never seen it in that context.
I am not an expert; until a couple of days ago, I knew virtually nothing about SPF records. I did however look at the openspf.org web site and I subscribed to one of their mailing lists.

It is still quite confusing to me, but the experts did say that I should use -all.
 

bmcpanel

Well-Known Member
Jun 1, 2002
546
0
316
I am not an expert; until a couple of days ago, I knew virtually nothing about SPF records. I did however look at the openspf.org web site and I subscribed to one of their mailing lists.

It is still quite confusing to me, but the experts did say that I should use -all.
I believe the technology is not in wide-spread use yet, and part of the reason is that documentation on the issue seems to vary, making it more confusing than it ought to be.

I am waiting for Cpanel to include this in their software so we don't have to add these manually. It seems like a logical thing for a control panel software to do.
 
Thread starter Similar threads Forum Replies Date
T Email 1
Karl1 Email 4
M Email 3
T Email 2
S Email 2