coyotejeff
asked on
SPF Confusion
All, my office has 14 outgoing mail servers. That makes my SPF string too long. I have tried to generalize it with the following:
v=spf1 mx a:ccareynkf.com ~all
However I am still getting softfails.--Received-SPF: softfail (google.com: domain of transitioning jhumphrey@ccareynkf.com does not designate 209.76.96.12 as permitted sender) client-ip=209.76.96.12;
Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning jhumphrey@ccareynkf.com does not designate 209.76.96.12 as permitted sender) smtp.mail=jhumphrey@ccarey
In past, we used the following SPF, but because network solutions, who manages our DNS, didn't quite parse it coeectrly I think.
OLD SPF--still softfailed--
* (All Others) 7200 v=spf1 a:spfa.ccareynkf.com a:spfb.ccareynkf.com ~all
spfa.ccareynkf.com. 7200 v=spf1 ip4:173.164.197.66 ip4:68.65.78.67 ip4:66.7.244.215 ip4:69.170.43.171 ip4:173.164.197.50 ip4:69.239.193.227 ip4:69.170.47.245 ip4:206.170.188.211
spfb.ccareynkf.com. 7200 v=spf1 ip4:209.76.96.12 ip4:209.76.96.28 ip4:209.76.96.18 ip4:69.105.43.67 ip4:63.207.5.147 ip4:216.31.226.235 ip4:69.105.43.68 ip4:69.239.193.235 include=postini.com ~all
I am not a DNS expert and frankly the SPF stuff is above me. All of our sending servers have both A and ptr records
Thanks for any help
v=spf1 mx a:ccareynkf.com ~all
However I am still getting softfails.--Received-SPF: softfail (google.com: domain of transitioning jhumphrey@ccareynkf.com does not designate 209.76.96.12 as permitted sender) client-ip=209.76.96.12;
Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning jhumphrey@ccareynkf.com does not designate 209.76.96.12 as permitted sender) smtp.mail=jhumphrey@ccarey
In past, we used the following SPF, but because network solutions, who manages our DNS, didn't quite parse it coeectrly I think.
OLD SPF--still softfailed--
* (All Others) 7200 v=spf1 a:spfa.ccareynkf.com a:spfb.ccareynkf.com ~all
spfa.ccareynkf.com. 7200 v=spf1 ip4:173.164.197.66 ip4:68.65.78.67 ip4:66.7.244.215 ip4:69.170.43.171 ip4:173.164.197.50 ip4:69.239.193.227 ip4:69.170.47.245 ip4:206.170.188.211
spfb.ccareynkf.com. 7200 v=spf1 ip4:209.76.96.12 ip4:209.76.96.28 ip4:209.76.96.18 ip4:69.105.43.67 ip4:63.207.5.147 ip4:216.31.226.235 ip4:69.105.43.68 ip4:69.239.193.235 include=postini.com ~all
I am not a DNS expert and frankly the SPF stuff is above me. All of our sending servers have both A and ptr records
Thanks for any help
Update: I did a little checking. Assuming ccareynkf.com is your domain, none of the servers listed in your MX records has a host record matching that address, so that mechanism doesn't pass.
Then I checked PTR records for 209.76.96.12. There are two of them:
scmail01.sccc.ccarey.com
scmail01.sccc.ccareynkf.co
The first one is irrelevant for our purposes, since it refers to a different domain. I checked the host record for the second one, and its got an address of 209.76.96.2 - very close, but not the same as 209.76.96.12. That's probably the problem.
Then I checked PTR records for 209.76.96.12. There are two of them:
scmail01.sccc.ccarey.com
scmail01.sccc.ccareynkf.co
The first one is irrelevant for our purposes, since it refers to a different domain. I checked the host record for the second one, and its got an address of 209.76.96.2 - very close, but not the same as 209.76.96.12. That's probably the problem.
ASKER
Thanks, checking that out right now!
ASKER
OK, so after fixing the DNS issues, I am still getting a soft fail. Is my SPF record incorrect?
Received-SPF: softfail (google.com: domain of transitioning jhumphrey@ccareynkf.com does not designate 209.76.96.12 as permitted sender) client-ip=209.76.96.12;
Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning jhumphrey@ccareynkf.com does not designate 209.76.96.12 as permitted sender) smtp.mail=jhumphrey@ccarey
Received-SPF: softfail (google.com: domain of transitioning jhumphrey@ccareynkf.com does not designate 209.76.96.12 as permitted sender) client-ip=209.76.96.12;
Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning jhumphrey@ccareynkf.com does not designate 209.76.96.12 as permitted sender) smtp.mail=jhumphrey@ccarey
ASKER
As I stated, my SPF looks like this:
v=spf1 mx a:ccareynkf.com ~all
the MX portion of it refers to postini, which we sometimes use for outgoing, but not usually.
v=spf1 mx a:ccareynkf.com ~all
the MX portion of it refers to postini, which we sometimes use for outgoing, but not usually.
ASKER
More information. After using Kitterman's tool, I get this:
Input accepted, querying now...
Mail sent from this IP address: 209.76.96.12
Mail from (Sender): jhumphrey@ccareynkf.com
Mail checked using this SPF policy: v=spf1 mx a:ccareynkf.com ~all
Results - softfail domain owner discourages use of this host
Any help is appreciated.
Input accepted, querying now...
Mail sent from this IP address: 209.76.96.12
Mail from (Sender): jhumphrey@ccareynkf.com
Mail checked using this SPF policy: v=spf1 mx a:ccareynkf.com ~all
Results - softfail domain owner discourages use of this host
Any help is appreciated.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
- be listed in your domain's MX records.
- have a host record in the ccareynkf.com domain.
Check your MX records and ccareynkf.com's host records to see if 209.76.96.12 appears there. If it does not, that's what's causing the softfails.