Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1213
  • Last Modified:

Trouble with SPF record

Hi,

Having major trouble with SPF record. Web company have messed with DNS on hosting when setting a new website up and now having problems getting mail out to certain organisations.

Record details below:

TXT      hpm.uk.com v=spf1 a mx ip4:194.176.73.0/24 -all

ISP suggested changes which I made which turned out to be wrong and I'm falling at the final furlong as can be seen below:
Record: v=spf1 a mx ip4:194.176.73.0/24 -all
Prefix      Type      Value      Prefix Desc      Description
+      a            Pass      Match if IP has a DNS 'A' record in given domain
+      mx            Pass      Match if IP is one of the MX hosts for given domain name
+      ip4      194.176.73.0/24      Pass      Match if IP is in the given range
-      all            Fail      Always matches. It goes at the end of your record.

It's the -all bit I'm stuck on, the rest validates absolutely fine!

Any help would be much appreciated!

Thanks

0
IT-Darlo
Asked:
IT-Darlo
  • 5
  • 5
1 Solution
 
PapertripCommented:
What your ISP suggested is just fine as long as the IP of your sending servers matches on of those mechanisms.

"v=spf1 a mx ip4:194.176.73.0/24 -all"

Open in new window

0
 
PapertripCommented:
*matches one of those mechanisms.

Actually the MX modifier is redundant as the IP's fall into the ip4 CIDR mask.

So technically your SPF record can just be
"v=spf1 a ip4:194.176.73.0/24 -all"

Open in new window

Or, if you do not send mail from 77.235.47.172, then it can just be
"v=spf1 ip4:194.176.73.0/24 -all"

Open in new window



[root@broken ~]# dig hpm.uk.com +short
77.235.47.172
[root@broken ~]# dig mx hpm.uk.com +short
0 mx1.onyx.net.
10 mx2.onyx.net.
[root@broken ~]# dig mx1.onyx.net +short
194.176.73.106
[root@broken ~]# dig mx2.onyx.net +short
194.176.73.105

Open in new window

0
 
PapertripCommented:
Or, if you only send mail from mx1 and mx2.onyx.net, it can be
"v=spf1 ip4:194.176.73.105 ip4:194.176.73.106 -all"

Open in new window

or
"v=spf1 ip4:194.176.73.105/30 -all"

Open in new window


If you are signing with DKIM, then I suggest changing -all to ~all
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
IT-DarloAuthor Commented:
Thanks will report back once its updated.
0
 
IT-DarloAuthor Commented:
Ok it seems to have updated very quickly but its still failing on MXToolbox,  please see attached.

 MXToolbox Screen Shot
0
 
IT-DarloAuthor Commented:
I dont know whether it matters that its failing on there as checking it on here against the validator says its a pass

http://www.kitterman.com/spf/validate.html

Nightmare!
0
 
PapertripCommented:
You are all good, that just says that -all means to hardfail the message if the sending IP is not listed in your SPF record.  The testing link you pasted last is a good one to use.
0
 
IT-DarloAuthor Commented:
Ah ok I was still getting fails and thinking hang on something must be wrong here so I've took the -all out but going by what you said above that shouldnt matter?

thanks again
0
 
PapertripCommented:
Leave the -all in, it is not a failure in your syntax.  Your current record is fine.
0
 
IT-DarloAuthor Commented:
Ah ok I'll re-amend it.

Thanks again for your help.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now