SPF - Result: fail (Mechanism '-all' matched)


#1

SPF Record Lookup

Looking up TXT SPF record for domain.com
Found the following namesevers for domain.com: ns3.linode.com ns2.linode.com ns4.linode.com ns1.linode.com ns5.linode.com
Retrieved this SPF Record: zone updated 20190223 (TTL = 461)
using authoritative server (ns3.linode.com) directly for SPF Check
Result: fail (Mechanism ‘-all’ matched)

Should I just ignore this SPF error?


#2

Can’t tell you without knowing what your TXT SPF record actually says.


#3

my TXT value is

v=spf1 include:_spf.google.com -all


#4

Ok. Why?

Tell me every way in which you will be sending email from your domain please.


#5

I’m still learning MIAB there is no special sending goal at the moment but to have a working MIAB default setup and a proper configuration.

v=spf1 include:_spf.google.com -all

The “include:_spf.google.com” is added coz I did a domain verification.


#6

Ok then. So what you need is the default SPF record as you are (at least at this time) not intending for mails to be sent from any server other than your MiaB server.

v=spf1 mx -all

This SPF record declares that: only the box is permitted to send @domain.com mail. Which, from your description is what you want. The SPF record that you are using is Google’s SPF record that would be used when using their domain email (GSuite ?). That record says to treat all mail coming from Google’s servers as being legitimate email and not to accept any mail coming from your domain which is not coming from Gmail’s servers. In other words, it is likely directing a large amount of your domain’s email to fail.
You also mentioned domain verification … if that domain verification was for Google Postmaster (something you should do if you haven’t) then that format is nothing similar to their proper TXT record.
I suspect that you formerly used GSuite for your domain email? If so, these holdovers from then have to go. Please see the External DNS page in your MiaB admin area for the correct DNS records to use for mail. Please note that if you have a website hosted elsewhere and you have not entered Custom DNS entries in MiaB that the A records for your @ and www records is not correct, but the records related to email are correct.


#7

Result: pass (Mechanism ‘mx’ matched)

Thanks! @alento

I have another concern which is the spam assassin score. I’m not sure if I should ask another question or add it here.


#8

I think the preference of most would be to start another topic … then some months down the road it is easier to find information specific to what one is searching for, :slight_smile:
Thanks for asking!


#9

@alento I tried http://www.openspf.org

Its being recommended that I should try

v=spf1 mx a:box.onevoix.com -all


#10

It’s the same thing. :slight_smile: (Assuming that your MiaB hostname is box.onevoix.com)


#11

hostname is box.onevoix.com

Thanks!


#12

I’d just like to comment on how SPF actually works, so that hopefully you can get a feel for what the records mean.

I’m going to use the openspf record to explain what the different parts mean.

SPF is used to tell a mail exchanger - that is the inbound server that handles your mail - what IP addresses your outbound mail servers sit on. It has a number of different mechanisms to do this, and each term is resolved in turn until you get to the final all term, which identifies what to do when the IP address doesn’t match any of the previous mechanisms.

I do see a number of SPF records in the wild that look like they may have been generated by an automated service such as openspf’s, and I wouldn’t decry using such services. Nonetheless understanding each term can be beneficial.

Each term in an SPF record has 4 possibilities
+ allow
- hard fail
~soft fail
? neutral

If there is no preceding term before an entry then allow is presumed.

So looking at the proposed record.

v=spf1 mx a:box.onevoix.com -all

v=spf1 is the spf version.
mx = use the MX record found in your domains DNS record
a:box.onevoix.com = use the A record (IPv4 address) for the DNS record box.onevoix.com
-all = reject all other IP addresses with a hard fail.

The inbound mail server will parse each entry and compare it. Lets use nslookup to demonstrate.

C:\Users\timdu>nslookup -type=mx onevoix.com
Server:  cache1.service.virginmedia.net
Address:  194.168.4.100

Non-authoritative answer:
onevoix.com     MX preference = 10, mail exchanger = box.onevoix.com

box.onevoix.com internet address = 172.104.117.8

So if the inbound IP address matches 172.104.117.8 then we get an SPF pass, and nothing more happens.

If it didn’t match we’d move on to the next term which is the A record for box.onevoix.com
C:\Users\timdu>nslookup -type=A box.onevoix.com
Server: cache1.service.virginmedia.net
Address: 194.168.4.100

Non-authoritative answer:
Name:    box.onevoix.com
Address:  172.104.117.8

Again this resolves to 172.104.117.8 so in this case this is a redundant entry as id we get a pass on the first term, we’d not get here but if the IP didn’t match in the first case it wouldn’t match here either.

Finally if none of the previous terms match, we get the last entry
-all
Which in this case tells the inbound server to fail the mail.

In the original SPF specification there was no actual specification as to what the inbound server should do if the mail failed SPF checks.

Also note that SPF on it’s own does not survive a situation where someone has mail to their domain being forwarded to a third party’s servers, because the mail exchanger ONLY looks at the address of the server it is connected to.

Finally DMARC - which is used to set a policy for failed mails sent from your domain, also has a check to make sure that the domains used by DKIM and SPF match the From: address in the mail.

For example if the Envelope sender uses a domain example.com
and the From: address uses the domain other.com
The mail would fail because the domains are different.