Need Help Fixing SPF1 Record
Hello Experts,
I have an urgent need to fix an SPF record on one of my domains (call it mydomain.net). This domain was recently moved from Network Solutions to GoDaddy. I use this domain to send emails to an opt-in list. The emails are sent using a s/w package called Gammadyne. My office has a fixed IP address which I will say is 99.99.99.234.
Gammadyne is configured to use GoDaddy's smtp servers which are smtpout.secureserver.net. I program my username and password and everything seems to works fine. The problem is that virtually none of the emails are making it through. I am getting a 30% bounce back rate with errors referring to mail loops. I think the problem is caused by my domains' spf1 record. It currently reads as follows:
v=spf1 mx include:secureserver.net -all
I think this means that any emails from secureserver.net are fine, but emails coming from anywhere else are bad. I came across the "Sample Sender Policy Framework (SPF) Lookup" email tool at myiptest.com. When I run the test I get the following error:
Received-SPF: fail (domain of mydomain.net does NOT designate 99.99.99.234 as permitted sender) client-ip=99.99.99.234
I think this is causing the email to be treated as SPAM or to get caught in an endless loop. I want to modify the spf1 record to designate my IP address as legitimate. GoDaddy has a tool that generates the spf1 record - but they cannot give me advice how to use it. Using the tool, I came up with the following:
v=spf1 a mx ptr mx:smtp.secureserver.net mx:mailstore1.secureserver
After waiting 30 minutes I used the SPF lookup tool again and received a passing mark:
Received-SPF: pass (Domain of mydomain.net designates 99.99.99.234 as permitted sender) client-ip=99.99.99.234
Does my new code seem right to you? (The tool suggested that I add ptr in the code.) Is there anything else in terms of delivery I need to be aware of to avoid mail loops or other delivery problems?
Thanks for any suggestions!!
Chip
I have an urgent need to fix an SPF record on one of my domains (call it mydomain.net). This domain was recently moved from Network Solutions to GoDaddy. I use this domain to send emails to an opt-in list. The emails are sent using a s/w package called Gammadyne. My office has a fixed IP address which I will say is 99.99.99.234.
Gammadyne is configured to use GoDaddy's smtp servers which are smtpout.secureserver.net. I program my username and password and everything seems to works fine. The problem is that virtually none of the emails are making it through. I am getting a 30% bounce back rate with errors referring to mail loops. I think the problem is caused by my domains' spf1 record. It currently reads as follows:
v=spf1 mx include:secureserver.net -all
I think this means that any emails from secureserver.net are fine, but emails coming from anywhere else are bad. I came across the "Sample Sender Policy Framework (SPF) Lookup" email tool at myiptest.com. When I run the test I get the following error:
Received-SPF: fail (domain of mydomain.net does NOT designate 99.99.99.234 as permitted sender) client-ip=99.99.99.234
I think this is causing the email to be treated as SPAM or to get caught in an endless loop. I want to modify the spf1 record to designate my IP address as legitimate. GoDaddy has a tool that generates the spf1 record - but they cannot give me advice how to use it. Using the tool, I came up with the following:
v=spf1 a mx ptr mx:smtp.secureserver.net mx:mailstore1.secureserver
After waiting 30 minutes I used the SPF lookup tool again and received a passing mark:
Received-SPF: pass (Domain of mydomain.net designates 99.99.99.234 as permitted sender) client-ip=99.99.99.234
Does my new code seem right to you? (The tool suggested that I add ptr in the code.) Is there anything else in terms of delivery I need to be aware of to avoid mail loops or other delivery problems?
Thanks for any suggestions!!
Chip
If you have MX records listed, what are they? If they are the Go Daddy servers then simply add your own server 99.99.99.234 to the list and the simpler record should work.
ASKER
Hi Mike,
Thanks for your help! I was just about to launch a campaign with the modified SPF - but have noticed that my test email that I send to myself goes to my Junk folder in Outlook. Could the SPF record be causing this?
I never noticed that the -all on the first changed to ~all.
To answer your question, I have two MX records under the domain:
mailstore1.secureserver.ne
smtp.secureserver.net has priority of 0
interesting, I do not see smtpout.secureserver.net which is the server I log into.
Are you suggesting I add my IP address to the MX record?
Thanks for your help! I was just about to launch a campaign with the modified SPF - but have noticed that my test email that I send to myself goes to my Junk folder in Outlook. Could the SPF record be causing this?
I never noticed that the -all on the first changed to ~all.
To answer your question, I have two MX records under the domain:
mailstore1.secureserver.ne
smtp.secureserver.net has priority of 0
interesting, I do not see smtpout.secureserver.net which is the server I log into.
Are you suggesting I add my IP address to the MX record?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Mike - we are almost done. :) I typed a long follow-up before I saw your post.
Is it OK to add my IP address of 99.99.99.234 to the MX record?
When I do a DNS lookup on my IP I get the following:
rrcs-99-99-99-234.west.biz
How long does it take for this to take affect? How can I tell it is active?
Is it OK to add my IP address of 99.99.99.234 to the MX record?
When I do a DNS lookup on my IP I get the following:
rrcs-99-99-99-234.west.biz
How long does it take for this to take affect? How can I tell it is active?
ASKER
Mike,
Here is the follow-up I was about to send before your last post:
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Hello Mike,
I have some more info. If possible, I would rather not mess with the MX record. I have read that it is not a good idea to put an IP address there and I am working on a short time frame to send out these emails.
I was all set to send them out except for the fact that Outlook treated it as Junk. I cannot see why this is happening because the email is very plain and does not have any obvious SPAM words.
Here are my questions:
1). Is my SPF record fine as it is?
2) What about the "a" that I added? Would it be better to remove it?
3) Should I keep the "ptr"?
4) Should I change the tilde ~all to a minus -all?
5) What do you think of the following as a simple record - would this work?
v=spf1 mx include:secureserver.net ip4:99.99.99.234 -all
I know DNS changes can take 24-48 hours to propagate the internet. Is the same true for SPF changes? Is the SPF information stored on various servers around the world or is it just on GoDaddy's servers? In the past it appears changes to SPF records go online in 30 minutes or so. Is that possible?
Thanks so much for your help!
Here is the follow-up I was about to send before your last post:
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Hello Mike,
I have some more info. If possible, I would rather not mess with the MX record. I have read that it is not a good idea to put an IP address there and I am working on a short time frame to send out these emails.
I was all set to send them out except for the fact that Outlook treated it as Junk. I cannot see why this is happening because the email is very plain and does not have any obvious SPAM words.
Here are my questions:
1). Is my SPF record fine as it is?
2) What about the "a" that I added? Would it be better to remove it?
3) Should I keep the "ptr"?
4) Should I change the tilde ~all to a minus -all?
5) What do you think of the following as a simple record - would this work?
v=spf1 mx include:secureserver.net ip4:99.99.99.234 -all
I know DNS changes can take 24-48 hours to propagate the internet. Is the same true for SPF changes? Is the SPF information stored on various servers around the world or is it just on GoDaddy's servers? In the past it appears changes to SPF records go online in 30 minutes or so. Is that possible?
Thanks so much for your help!
What your original SPF record v=spf1 mx include:secureserver.net -all means is that any , and only, servers listed in the mx records for secureserver.net are OK.Actually the mx mechanism is not related to the include. The mx mechanism says the MX records for the domain of the overall SPF record are able to send, not the MX's of secureserver.net. If he had "mx:secureserver.net" that would be a different story.
The spf record isn't causing Outlook to label it as junk directly, but if the sender isn't listed as an MX record, it looks like it's spoofed. I suspect that if you add your server as an MX record it will clear up.The sending server most definitely does not need to be listed as an MX for the domain.
I'm not sure why you are sending from that 99.x IP if your server is configured to use SMTP via GoDaddy, but apparently something else is happening. If you want GoDaddy to send from your domain along with the 99.x IP, make the record like this, no need for the A or PTR mechanisms:
"v=spf1 ip4:99.99.99.234 include:secureserver.net -all"There is no magic 24-48 hours propagation time, that is just something service providers tell their customers so they don't complain about not getting immediate results. All that matters is the TTL of the existing record. If your TTL before the change was 300 (5 minutes) then all RFC compliant resolvers will have your new record in 5 minutes. Keep in mind some large providers like Hotmail cache SPF results sometimes for up to 24 hours.
I know DNS changes can take 24-48 hours to propagate the internet. Is the same true for SPF changes? Is the SPF information stored on various servers around the world or is it just on GoDaddy's servers? In the past it appears changes to SPF records go online in 30 minutes or so. Is that possible?
ASKER
Mike,
Thanks so much! I will implement the change now and hope to test the new SPF in the next 10-15 minutes. If it tests OK, I will launch the emails and close the question. Would you mind checking back in about 15 minutes?
Thanks!
Thanks so much! I will implement the change now and hope to test the new SPF in the next 10-15 minutes. If it tests OK, I will launch the emails and close the question. Would you mind checking back in about 15 minutes?
Thanks!
ASKER
The TTL is actually set to 1 hour :( The shortest I can set it to is 1/2 hour,
1. It is for now, but if GoDaddy changes their mail servers then it won't be anymore. Better to just say "any servers from secureserver.net" since that's really your goal. But do verify that the MX records, which tell others where to send your incoming mail, are actually used for sending your outgoing mail. Otherwise use the individual servers that you know are correct.
2. I would take out the A because you're saying that any A record from secureserver.net is OK, and it isn't. You only want to check MX records plus the one you're adding.
3. According to spf.org: "If at all possible, you should avoid using this mechanism in your SPF record, because it will result in a larger number of expensive DNS lookups."
4. If those are the only servers that should be sending mail from your domain, yes.
5. Looks good.
In regards to your later/earlier question about adding the MX record, you can use the hostname or the IP but the host name is better as long as looking up the IP resolves to the host name and vice versa.
The records propagate like any other DNS record. It can take 24-48 hours globally but that doesn't mean that it will take that long to the place you're testing from.
2. I would take out the A because you're saying that any A record from secureserver.net is OK, and it isn't. You only want to check MX records plus the one you're adding.
3. According to spf.org: "If at all possible, you should avoid using this mechanism in your SPF record, because it will result in a larger number of expensive DNS lookups."
4. If those are the only servers that should be sending mail from your domain, yes.
5. Looks good.
In regards to your later/earlier question about adding the MX record, you can use the hostname or the IP but the host name is better as long as looking up the IP resolves to the host name and vice versa.
The records propagate like any other DNS record. It can take 24-48 hours globally but that doesn't mean that it will take that long to the place you're testing from.
Papertrip, thanks for the clarifications :-)
ASKER
Hello,
I have been running a few last minute SPF tests and came across one fail. See the image below. Do I need to also add these IP addresses to my list of allowed IPs, or is this just because I need to wait a little longer for everything to propagate. Strange how both IP addresses are from secureserver.net - yet one passed an one failed.
I have been running a few last minute SPF tests and came across one fail. See the image below. Do I need to also add these IP addresses to my list of allowed IPs, or is this just because I need to wait a little longer for everything to propagate. Strange how both IP addresses are from secureserver.net - yet one passed an one failed.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Papertrip,
Thanks for pointing out the error of that test. I have been using Kitterman as one of several test sites. I did as you asked and received mixed results. I think I passed the first and the third test, but failed the middle. Here are screen shots of the three tests. Did I do something wrong on the middle test?
I really appreciate your patience in helping me with this. I need to get this straightened out this morning so I do not miss a deadline sending emails. Part of me is tempted to just get rid of the SPF1 record completely. (j/k mostly). I hope this is something I am doing wrong and my record is fine.
Is there any way I could email you or private message you the actual domain info so you could test it? I do not want to post it online for all to see.
Thanks for pointing out the error of that test. I have been using Kitterman as one of several test sites. I did as you asked and received mixed results. I think I passed the first and the third test, but failed the middle. Here are screen shots of the three tests. Did I do something wrong on the middle test?
I really appreciate your patience in helping me with this. I need to get this straightened out this morning so I do not miss a deadline sending emails. Part of me is tempted to just get rid of the SPF1 record completely. (j/k mostly). I hope this is something I am doing wrong and my record is fine.
Is there any way I could email you or private message you the actual domain info so you could test it? I do not want to post it online for all to see.
A suggestion for you so that you can continue to work on this while sending emails: Instead of -all, use ~all. This tells servers to "soft fail" an invalid server: this means, pass you but mark the server as possibly not bing valid later. The benefit is that SPF testing will show you whether you should have passed or failed, without your mail being interrupted.
BTW I looked at our own SPF records, and we list 3 servers in 3 separate records, no MX records.
BTW I looked at our own SPF records, and we list 3 servers in 3 separate records, no MX records.
ASKER
Mike,
That is an interesting idea. I am sending the emails to F500 companies. Do you think a soft-fail will likely get rejected or routed to SPAM? I will make the change now, wait a little and test it out with a small sample.
Would it be possible to post your SPF records with any sensitive info redacted so I can see the format? I did not know that you can have multiple records.
That is an interesting idea. I am sending the emails to F500 companies. Do you think a soft-fail will likely get rejected or routed to SPAM? I will make the change now, wait a little and test it out with a small sample.
Would it be possible to post your SPF records with any sensitive info redacted so I can see the format? I did not know that you can have multiple records.
ASKER
Update - in the process of sending out 100 now. I should have results in the next 30-60 minutes. Fingers are crossed. :)
I don't know how you do this in GoDaddy, but in our BIND 9.7.x db file (our DNS server), we have 3 SPF records:
company.com. IN TXT "v=spf1 mx include:service.differentc
smtp1 IN TXT "v=spf1 a -all"
smtp2 IN TXT "v=spf1 a -all"
The first one is a contracted third party who sends out mail on our behalf.
company.com. IN TXT "v=spf1 mx include:service.differentc
smtp1 IN TXT "v=spf1 a -all"
smtp2 IN TXT "v=spf1 a -all"
The first one is a contracted third party who sends out mail on our behalf.
ASKER
Thank you both for all of your help with this. Since my last post I had the chance to talk to the developer of Gammadyne over the phone. He pointed out two potential problems with my set-up:
1. If you enter mydomain.net in your address bar, you get nothing but a timeout message. This is because I do not have a website for this domain. He said I should have a website with a fixed IP and be sure that my IP address resolves to the website on a reverse DNR search.
2. He also said it would be preferable if emails that come from user@mydomain.net used smtp servers that were on the same domain - such as smtp.mydomain.net. This is not something that GoDaddy supports directly. My contact said there are third party programs that I could upload to my future site that would let me domain act as an SMTP server. He could not give me a specific name, however.
Based on this input, today I purchased a hosting plan and fixed IP from GoDaddy. I will in the next day or two have a site online. At that time, I may post a follow-up question to be sure I have my MX and SPF1 records correctly configured. Since the settings will be different, I think it is fair to you two to close this thread as resolved. If you are willing, please keep an eye out for a new question or two from me in the next day or so. Thanks again!!
PS - all of your answers were helpful. To make it easier, I selected one answer from each of you as the solution.
1. If you enter mydomain.net in your address bar, you get nothing but a timeout message. This is because I do not have a website for this domain. He said I should have a website with a fixed IP and be sure that my IP address resolves to the website on a reverse DNR search.
2. He also said it would be preferable if emails that come from user@mydomain.net used smtp servers that were on the same domain - such as smtp.mydomain.net. This is not something that GoDaddy supports directly. My contact said there are third party programs that I could upload to my future site that would let me domain act as an SMTP server. He could not give me a specific name, however.
Based on this input, today I purchased a hosting plan and fixed IP from GoDaddy. I will in the next day or two have a site online. At that time, I may post a follow-up question to be sure I have my MX and SPF1 records correctly configured. Since the settings will be different, I think it is fair to you two to close this thread as resolved. If you are willing, please keep an eye out for a new question or two from me in the next day or so. Thanks again!!
PS - all of your answers were helpful. To make it easier, I selected one answer from each of you as the solution.
v=spf1 ip4:99.99.99.234 include:spf.secureserver.n
Does your domain list MX records?
Also, note another difference between your first record and the last one you posted: You are using -all in the first one and ~all in the 2nd. ~ means that you should accept mail from anyone although that might change at any time. - means that ONLY the listed servers are valid. So if you used your original record but just used the ~ instead, it should have passed.