SPF: test of record failed (temperror)

keat63

Well-Known Member
Nov 20, 2014
1,913
259
113
cPanel Access Level
Root Administrator
I've just noticed, and it seems to be all incoming email.
Code:
T_SPF_HELO_TEMPERROR                 SPF: test of HELO record failed (temperror)
T_SPF_TEMPERROR                             SPF: test of record failed (temperror
Any ideas why i'm failing to authenticate against spf on incoming email ?
 
Last edited:

keat63

Well-Known Member
Nov 20, 2014
1,913
259
113
cPanel Access Level
Root Administrator
Update:

Last week I modified /etc/mail/spamassassin/local.cf, and added a dns_server in an attempt to fix the URIBL errors.
Thinking it might be related to this, I removed the entry.
This didn't appear to have any effect.
Strangely the URIBL errors didn't come back either.

Left it an hour then modified etc/resolv.cnf,.
Thinking that it might be DNS related. I added Google entries 8.8.8.8 and 8.8.4.4.
This also had no effect.

30 minutes later, I rolled back my reslov.cnf.

Now SPF checks seems to be working,

SPF_HELO_PASS -0.00 SPF: HELO matches SPF record
SPF_PASS -0.00 SPF: sender matches SPF record


It looks like the SPF temp errors are related to the changes I made in spamasassin/local.cf last week??
I checked the mail logs and those temp errors appear to have started on the same day.
Whilst I don't recall what time I made the changes, I can see a definitive line between checks passing and failing.

No Idea why the changes didn't take effect until I toyed with resolv.cnf though.
Oh and the URIBL errors have come back.

Everyday a learning curve, even at my age.
 
Last edited:

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,272
313
Houston
This is definitely DNS related, did you read the Spamassassin documentation on that setting?

dns_server ip-addr-port (default: entries provided by Net::DNS)
Specifies an IP address of a DNS server, and optionally its port number. The dns_server directive may be specified multiple times, each entry adding to a list of available resolving name servers. The ip-addr-port argument can either be an IPv4 or IPv6 address, optionally enclosed in brackets, and optionally followed by a colon and a port number. In absence of a port number a standard port number 53 is assumed. When an IPv6 address is specified along with a port number, the address must be enclosed in brackets to avoid parsing ambiguity regarding a colon separator. A scoped link-local IP address is allowed (assuming underlying modules allow it).

Examples : dns_server 127.0.0.1 dns_server 127.0.0.1:53 dns_server [127.0.0.1]:53 dns_server [::1]:53 dns_server fe80::1%lo0 dns_server [fe80::1%lo0]:53

In absence of dns_server directives, the list of name servers is provided by Net::DNS module, which typically obtains the list from /etc/resolv.conf, but this may be platform dependent. Please consult the Net::DNS::Resolver documentation for details.
 

keat63

Well-Known Member
Nov 20, 2014
1,913
259
113
cPanel Access Level
Root Administrator
I didn't see that actual extract, but did find something about it being DNS related, hence why I toyed with the two DNS type settings.
It appears to be working still this morning, and now I know where the problem was, so alls well that ends well.

Just thought it best to document it in case anyone else in the future has a similar issue.
 
  • Like
Reactions: cPanelLauren

aztopdavid

Well-Known Member
Jan 1, 2016
53
9
58
Arizona
cPanel Access Level
Root Administrator
This looks exactly like a problem I'm trying to solve. I had solved the blocked URIBL lookups by adding "dns_server 127.0.0.0" to /etc/mail/spamassassin/local.cf but then I switched VPS hosts and the URIBL lookups were being blocked again. So this morning, I added that "dns_server" value, but that resulted in the two SPF "TEMPERROR" lines in the SpamAssassin tests that @keat63 started this topic with. I checked the Resolver setup on my new VPS and it's different than the old one -- the new one only has 10.10.10.10 in resolv.conf. I tried adding "dns_server 10.10.10.10" to the local.cf, but then "URIBL_BLOCKED" reappeared in the SA section so I just took out the 10.10.10.10 entry, and "URIBL_BLOCKED" is gone with the two "TEMPERROR" lines are back. I'm not sure what I need to do so that the SPF errors go away *and* the URIBL lookups aren't blocked.