Customer email not passing SPF

Email from one of our customers is failing SPF and is being flagged as spam. I am helping them work through the issue, but I want to make sure that it isn’t on my end to avoid looking too stupid.

Their domain is rochesterartcenter.org. From the email header, the email is delivered by Google:

Received: from mail-il1-f180.google.com (mail-il1-f180.google.com [209.85.166.180])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
	(No client certificate requested)

Their TXT records are:

rochesterartcenter.org.	300	IN	TXT	"v=spf1 a:rochesterartcenter.org include:sendgrid.net include:mailman.bloomerang-mail.com -all"
rochesterartcenter.org.	300	IN	TXT	"google-site-verification=Ifm38gWyJHgj7ml3mYTyF4BVTElSnytai-BgNB1BL2I"

I’m not real familiar with how the ‘include’ part of the SPF works.

Their MX records are:

rochesterartcenter.org.	300	IN	MX	10 alt4.aspmx.l.google.com.
rochesterartcenter.org.	300	IN	MX	10 alt3.aspmx.l.google.com.
rochesterartcenter.org.	300	IN	MX	1 aspmx.l.google.com.
rochesterartcenter.org.	300	IN	MX	5 alt1.aspmx.l.google.com.
rochesterartcenter.org.	300	IN	MX	5 alt2.aspmx.l.google.com.

From what I’m seeing, they are using mail service from Google and the DNS is from Cloudflare.

As I said, I think the issue is on their end, but is it possible that there is actually a configuration issue on my end? I don’t remember customizing the SpamAssassin portion of my server. The only real custom stuff is I am using external DNS.

TIA!

They need to add include:_spf.google.com to the SPF record. The include mechanism adds the entire SPF record of whatever is specified. Their record should likely be:

v=spf1 a include:sendgrid.net include:mailman.bloomerang-mail.com include:_spf.google.com -all

Note that I removed the specified domain after a as an SPF record will only apply to the domain of the TXT record, and I am assuming this is for @rochesterartcenter.org email addresses, so using a:rochesterartcenter.org is usually redundant, but you can leave it, if you prefer.

This should help them with other non-free email providers, as well, as this is an IETF standard.

1 Like

Thanks @openletter. Knowing what “include” refers to helps and makes much more sense than where I was headed. I will pass this on. Thanks again.

@openletter The customer added the include you suggested. I have them whitelisted so the mail is being delivered, but I think they are still failing SPF. What I am seeing as the fail is on line 8 of the log snippet below:

Feb 22 10:58:27 mail postfix/smtpd[879]: connect from mail-ej1-f48.google.com[000.00.000.00]
Feb 22 10:58:28 mail postfix/smtpd[879]: warning: restriction `reject_authenticated_sender_login_mismatch' ignored: no SASL support
Feb 22 10:58:28 mail postgrey[1625]: action=pass, reason=client whitelist, client_name=mail-ej1-f48.google.com, client_address=000.00.000.00/32, sender=user2@rochesterartcenter.org, recipient=user1@daviesprinting.com
Feb 22 10:58:28 mail postfix/smtpd[879]: 9BA77A419DC: client=mail-ej1-f48.google.com[000.00.000.00]
Feb 22 10:58:28 mail postfix/cleanup[878]: 9BA77A419DC: message-id=<CAO8JtV=G0hoFbX=3JhG6twzYQtjHQUEsukg9prc41a8qYicJ+g@mail.gmail.com>
Feb 22 10:58:29 mail opendkim[16704]: 9BA77A419DC: s=google d=rochesterartcenter.org SSL
Feb 22 10:58:29 mail opendmarc[1137]: implicit authentication service: mail.daviesprinting.com
Feb 22 10:58:29 mail opendmarc[1137]: 9BA77A419DC: SPF(mailfrom): user2@rochesterartcenter.org fail
Feb 22 10:58:29 mail opendmarc[1137]: 9BA77A419DC: rochesterartcenter.org none
Feb 22 10:58:29 mail postfix/qmgr[5828]: 9BA77A419DC: from=<user2@rochesterartcenter.org>, size=14095, nrcpt=1 (queue active)
Feb 22 10:58:29 mail spampd[28342]: processing message <CAO8JtV=G0hoFbX=3JhG6twzYQtjHQUEsukg9prc41a8qYicJ+g@mail.gmail.com> for <user1@daviesprinting.com>
Feb 22 10:58:29 mail postfix/smtpd[879]: disconnect from mail-ej1-f48.google.com[000.00.000.00] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Feb 22 10:58:31 mail spampd[28342]: clean message <CAO8JtV=G0hoFbX=3JhG6twzYQtjHQUEsukg9prc41a8qYicJ+g@mail.gmail.com> (3.11/5.00) from <user2@rochesterartcenter.org> for <user1@daviesprinting.com> in 1.86s, 14478 bytes.
Feb 22 10:58:31 mail postfix/lmtp[881]: 9BA77A419DC: to=<user1@daviesprinting.com>, relay=127.0.0.1[127.0.0.1]:10025, delay=3.3, delays=1.2/0/0.01/2.1, dsn=2.0.0, status=sent (250 2.0.0 <user1@daviesprinting.com> 2DHtJrXiM2ByAwAA1nX8CA Saved)
Feb 22 10:58:31 mail postfix/qmgr[5828]: 9BA77A419DC: removed

If information from the header would be helpful, please let me know.

Any guesses on what else they can do? We have another customer who uses google and have the same include:_spf.google.com as their only include. Their email passes SPF I’m stymied.

Thanks!

Have someone from the Rochester Art Center visit https://mail-tester.com and then send an email to the address provided.

Pass along the link to the results here so I and others can see them. It should shed some light on things. @trinkel

1 Like

@alento Yeah, that crossed my mind too, then I forgot. I’m getting too old for this.

I will reach out to them.

Thanks

1 Like

@alento Here is the MailTester link: https://www.mail-tester.com/test-2k0o5bth7 . It came up 10/10. The only thing I saw is that there is no DMARC record.

What do the Authentication-Results headers show?

Authentication-Results headers:

Authentication-Results: mail.daviesprinting.com; dmarc=none (p=none dis=none) header.from=rochesterartcenter.org
Authentication-Results: mail.daviesprinting.com; spf=fail smtp.mailfrom=mpemberton@rochesterartcenter.org
Authentication-Results: mail.daviesprinting.com;
	dkim=pass (2048-bit key; unprotected) header.d=rochesterartcenter.org header.i=@rochesterartcenter.org header.b="QQMrAzpS";
	dkim-atps=neutral

Okay, so, this is a new one for me.

Does it show that the message was received by one of the approved servers? Here is the forum email for your reply, so it should look similar (I don’t conveniently have a G Suite email to look at the header in MiaB):

Received: from authenticated-user (box.occams.info [94.76.202.152])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	(No client certificate requested)
	by box.occams.info (Postfix) with ESMTPSA id 0AA612B85C
	for <username@example.com>; Tue, 23 Feb 2021 16:10:33 -0500 (EST)

This is the trace:

Received: from mail.daviesprinting.com ([127.0.0.1])
	by mail.daviesprinting.com with LMTP id 2DHtJrXiM2ByAwAA1nX8CA
	for <user1@daviesprinting.com>; Mon, 22 Feb 2021 10:58:29 -0600
Received: from mail-ej1-f48.google.com (mail-ej1-f48.google.com [209.85.218.48])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.daviesprinting.com (Postfix) with ESMTPS id 9BA77A419DC
	for <user1@daviesprinting.com>; Mon, 22 Feb 2021 10:58:28 -0600 (CST)
Received: by mail-ej1-f48.google.com with SMTP id jt13so30635436ejb.0
        for <user1@daviesprinting.com>; Mon, 22 Feb 2021 08:58:28 -0800 (PST)

The sending server is 209.85.218.48. I traced back the _spf.google.com include and it is an include of three more lists which are populated with IP blocks. The closest one that I could find is 209.85.128.0/17 which looks like it is a range from 209.85.128.1 to 209.85.255.254 so, yes?

I’m assuming the record was updated before the email was sent?

Ummmm, hmmmmm. Valid question. I really don’t know. The email came in yesterday so it didn’t even cross my mind. I’ll check tomorrow at work.

Well, hell.

@openletter I think you nailed it. The SPF must have changed sometime between Monday and Tuesday while I was firing this thread back up. An email I got back from her yesterday afternoon passed.

So, in the way of recap, adding include:_spf.google.com to their SPF did fix the issue. That makes a lot more sense.

Thanks for your help. I really appreciate it. And sorry for the wild goose chase at the end.

If, in the rare case that I’m wrong, I’ll be back :nerd_face:.

1 Like