SPF: test of record failed (temperror)

keat63

Well-Known Member
Nov 20, 2014
1,962
267
113
cPanel Access Level
Root Administrator
I've just noticed, and it seems to be all incoming email.
Code:
T_SPF_HELO_TEMPERROR                 SPF: test of HELO record failed (temperror)
T_SPF_TEMPERROR                             SPF: test of record failed (temperror
Any ideas why i'm failing to authenticate against spf on incoming email ?
 
Last edited:

keat63

Well-Known Member
Nov 20, 2014
1,962
267
113
cPanel Access Level
Root Administrator
Update:

Last week I modified /etc/mail/spamassassin/local.cf, and added a dns_server in an attempt to fix the URIBL errors.
Thinking it might be related to this, I removed the entry.
This didn't appear to have any effect.
Strangely the URIBL errors didn't come back either.

Left it an hour then modified etc/resolv.cnf,.
Thinking that it might be DNS related. I added Google entries 8.8.8.8 and 8.8.4.4.
This also had no effect.

30 minutes later, I rolled back my reslov.cnf.

Now SPF checks seems to be working,

SPF_HELO_PASS -0.00 SPF: HELO matches SPF record
SPF_PASS -0.00 SPF: sender matches SPF record


It looks like the SPF temp errors are related to the changes I made in spamasassin/local.cf last week??
I checked the mail logs and those temp errors appear to have started on the same day.
Whilst I don't recall what time I made the changes, I can see a definitive line between checks passing and failing.

No Idea why the changes didn't take effect until I toyed with resolv.cnf though.
Oh and the URIBL errors have come back.

Everyday a learning curve, even at my age.
 
Last edited:

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,274
1,295
313
Houston
This is definitely DNS related, did you read the Spamassassin documentation on that setting?

dns_server ip-addr-port (default: entries provided by Net::DNS)
Specifies an IP address of a DNS server, and optionally its port number. The dns_server directive may be specified multiple times, each entry adding to a list of available resolving name servers. The ip-addr-port argument can either be an IPv4 or IPv6 address, optionally enclosed in brackets, and optionally followed by a colon and a port number. In absence of a port number a standard port number 53 is assumed. When an IPv6 address is specified along with a port number, the address must be enclosed in brackets to avoid parsing ambiguity regarding a colon separator. A scoped link-local IP address is allowed (assuming underlying modules allow it).

Examples : dns_server 127.0.0.1 dns_server 127.0.0.1:53 dns_server [127.0.0.1]:53 dns_server [::1]:53 dns_server fe80::1%lo0 dns_server [fe80::1%lo0]:53

In absence of dns_server directives, the list of name servers is provided by Net::DNS module, which typically obtains the list from /etc/resolv.conf, but this may be platform dependent. Please consult the Net::DNS::Resolver documentation for details.
 

keat63

Well-Known Member
Nov 20, 2014
1,962
267
113
cPanel Access Level
Root Administrator
I didn't see that actual extract, but did find something about it being DNS related, hence why I toyed with the two DNS type settings.
It appears to be working still this morning, and now I know where the problem was, so alls well that ends well.

Just thought it best to document it in case anyone else in the future has a similar issue.
 
  • Like
Reactions: cPanelLauren

aztopdavid

Well-Known Member
Jan 1, 2016
56
11
58
Arizona
cPanel Access Level
Root Administrator
This looks exactly like a problem I'm trying to solve. I had solved the blocked URIBL lookups by adding "dns_server 127.0.0.0" to /etc/mail/spamassassin/local.cf but then I switched VPS hosts and the URIBL lookups were being blocked again. So this morning, I added that "dns_server" value, but that resulted in the two SPF "TEMPERROR" lines in the SpamAssassin tests that @keat63 started this topic with. I checked the Resolver setup on my new VPS and it's different than the old one -- the new one only has 10.10.10.10 in resolv.conf. I tried adding "dns_server 10.10.10.10" to the local.cf, but then "URIBL_BLOCKED" reappeared in the SA section so I just took out the 10.10.10.10 entry, and "URIBL_BLOCKED" is gone with the two "TEMPERROR" lines are back. I'm not sure what I need to do so that the SPF errors go away *and* the URIBL lookups aren't blocked.
 

neilc33

Registered
Mar 2, 2020
4
0
1
UK
cPanel Access Level
Root Administrator
@aztopdavid Did you find a solution to getting both SPF errors going away and the URIBL lookups not blocked? I'm looking at what sounds like the exact same issue; using the URIBL fine after a custom dns_server entry, but getting these T_SPF_TEMPERROR errors.
 

aztopdavid

Well-Known Member
Jan 1, 2016
56
11
58
Arizona
cPanel Access Level
Root Administrator
No, I put it on a "back burner" and went back to the setup where SPF has happy, but URIBL lookups aren't working. It would be nice to fix that, but I'm too busy to chase it down at present.