Where to put SPF records

Hi folks, I need help understanding where to put SPF records … the reference pages I’ve read into have left me quite muddled :frowning:

I’ve made a custom record like this:
v=spf1 ip4:xxx.xxx.xxx.xxx include:box.acdit.email include:domain.name1 include:domain.name2 include:domain.name3 include:domain.name4. -all

Does this look right? - and where should I enter it - in the DNS for my box or/and the DNS for all the included domains?

Thanks all,


An SPF record is a type of TXT record that is created for each domain name, including one for each subdomain, and each record is specifically for each.

I’m not really sure how to evaluate an obfuscated SPF record, other than to say it looks like it probably will work.

The DNS server of the domain name is where the TXT record for that domain (and subdomains) will be created.

Note that the RFC for SPF states that a record cannot include more than 10 DNS lookups, which also counts from nested lookups (e.g., the SPF record of your include domains). Your record currently has 5 DNS lookups, and if any of the include domains that will increase the number of DNS lookups. More than 10 lookups and many servers, but not all, will fail the SPF check on your domain.

Hi @openletter , thanks for chiming in. The reason for posting this is that some mails I send, either programmatically or via Roundcube go to spam or get bounced.

Excuse the obfuscation, I didn’t want to post exact data here.

The ip4 is the address of my box - which is also the first include(? seems weird). The other includes are the domains that I’ve added to Roundcube.

Just for clarity - are you saying that this SPF (as a TXT - I understand that) record with all these includes should be added to the dns for each of these domains?

I’m using the SPF record checker at dmarcanalyzer.com to test acdit.com where I’ve added this record - it’s still saying “could not find an SPF record”, but perhaps it’s still waiting for the DNS to propagate.

Your guidance is much appreciated! :slight_smile:

An SPF record is to include only the servers sending on behalf of the hostname for the TXT record of the hostname domain. This is included in either the HELO/EHLO response or RFC 5321 MAIL FROM.

This means that each hostname will have their own SPF record and usually it will be a unique SPF, with the exception of when hostnames are all using the exact same sending servers to authorize mail to be sent from.

IIRC, using the current domain as an include in an SPF record will result in an infinite loop and will fail due to more than 10 DNS lookups and possibly other reasons.

MiaB by default creates an SPF record for every hostname that has an A record (check the ‘External DNS’ page to see this), and there is no such thing truly as “DNS propagation” - this term is invented by customer service staff who want to make customers go away. DNS is cached based on the TTL, and the TTL is a minimum (caching servers may retain the record for however long they wish up to the RFC defined maximum, assuming they follow RFCs). So what you may be waiting for is the caching server to expire, but usually this would show a problem caused by some previous iteration of the record.

Since I don’t have the actual record, it’s possible you have some syntax error, possibly a space at the beginning or an errant quotation mark, or something. The record is supposed to begin with exactly v=spf1.

1 Like

Oh dear, 30+ years as a software dev is not helping me get my head around this …
I wonder if I’ve got hold of the wrong end of the stick -
I’m talking about the DNS settings for each of my domains in the admin portal of my hosting provider.
My box is hosted there too, but on another server of course.
Since MiaB uses reverse DNS, I now suspect that I may be way off on the wrong track and what I’m trying is just nonsense. (I’ve been following info on dmarcanalyzer.com/spf/how-to-create-an-spf-txt-record/).
Here’s a test case I’ve just performed:
I have a new domain that Gmail has never received mail from - I made a new Gmail account too, just to be sure it’s all fresh.
I sent 4 emails thru’ Roundcube from that new domain to the new Gmail account.
#1 went to spam. #2 landed in Inbox. #3 and #4 went to spam.
MiaB External DNS shows e2ee.im TXT v=spf1 mx -all
I have not tried to add any new records in the e2ee.im hosting DNS.

Why are these mails going to spam?

The best way to determine this is first look at the message headers using the Gmail interface.

Next look at the log messages for the transaction in /var/log/mail.log. Usually between these two I can find if there is anything I am able to correct.

Otherwise, it could be a new domain and plus whatever your message content is. (Use something that looks like a human typed it and is unique.)

Also note, Google is tracking absolutely everything. A better option is to spool up a new server with an ISP you don’t usually use and proxy your internet through that when you create and use the Gmail account, plus ideally use a fresh new user on your computer. Otherwise they may assume the IP address used and various fingerprint identifying techniques is one of the various users already associated with a different Gmail account.

Thanks for staying with me :slight_smile:
This what I see at Gmail:
SPF: NEUTRAL with IP 2a02:c207:2070:5720:0:0:0:1
DKIM: ‘FAIL’ with domain e2ee.im

Isn’t this DKIM failure a problem?

As you suggested, I sent 2 more emails with original subjects and messages typed on my keyboard instead of just “test” for the subject and my default signature.
They both landed in Gmail Inbox.
A third and a fourth, made in the same way as those two but also including the signature (just text, “best regards”) went to spam.

This sounds like you have a record with ?. I’m not clear this means the record passes or fails as I never use this qualifier. There are many mail servers that treat records with ? the same as having no record.


Further tests conclude that mail to Gmail from the admin@acdit.email - the box domain - passes SPF, DKIM and DMARC.
Mail from any of the aliases in MiaB fails DKIM and reports NEUTRAL for its SPF check.

in /var/log/mail.log I see this - I’m guessing for all the mails that went to spam:
Sep 10 15:45:21 box opendkim[27103]: th-property.com: key data is not secure: /home/user-data is writeable and owned by uid 1000 which is not the executing uid (115) or the superuser

What can I do about that?

The key data log entry is not related to this and can’t be fixed. Everyone running MiaB has this.

1 Like

Hold on everyone … @acdit

You do not include the domain names added to your server. You add servers who are sending email for your domain.

In most cases the spf record “v=spf1 mx -all” is sufficient. You would only add includes if you are ALSO sending email from a third party service such as AWS, Mailgun, etc.

As for where to host the TXT SPF record - that would be wherever you are hosting DNS for the domain in question, be it your MiaB, your registrar, or a third-party such as Cloudflare.

If you’d PM me with your MiaB server hostname, and the domains that you are serving with it, I’ll check the SPF records for correctness,

Thank you @alento , I will do so …

Issue resolved! - with big thanks to @alento :slight_smile:

I copied the spf, _dmarc and mail._domainkey (DKIM) values from MiaB External DNS to the DNS configs for all my website domains at my hosting provider.

Gmail now validates the sender and does not send my (not-at-all-spammy) mails to spam. I assume that other email services like Hotmail etc. will behave accordingly.

I’m a very happy happy camper!

btw: SPF record Checker | SPF record Tester - Mimecast | DMARC Analyzer is a great tool for testing your email-related DNS config.

Unfortunately, this isn’t always the case and will vary based on the sending server’s IP address. Microsoft is notably more difficult to please.

Hi @openletter - indeed. A quick search gave me
Top 3 webmail opens

  1. Gmail: 75.0%
  2. Yahoo! Mail: 14.8%
  3. Outlook.com: 2.4%

Yahoo’s share surprises me, and I thought I’d see Hotmail, Live etc there, or maybe that’s all under the Outlook banner. I should get a Yahoo account for test purposes.

1 Like

AoL/Yahoo/Verizon are all handled by Verizon. And yes that is a pleasant surprise.

Do you have any mail log rejections from M$? If you do there is an excellent guide in the Guides section of this forum discussing how to get them to play ball!

I believe twice, almost a year ago, but same with Gmail too. I stopped using SMTP at that time. I’m also pretty sure many of my emails send from Roundcube didn’t get through either during this time.

I’ve only now had time to return to these issues, so I’m very keen to resolve all as well as possible while I’m focussed on it

Thanks, I’ll look at that too.