Need Help Fixing SPF1 Record

MrChip2
MrChip2 used Ask the Experts™
on
Hello Experts,

I have an urgent need to fix an SPF record on one of my domains (call it mydomain.net).  This domain was recently moved from Network Solutions to GoDaddy.  I use this domain to send emails to an opt-in list.  The emails are sent using a s/w package called Gammadyne.  My office has a fixed IP address which I will say is 99.99.99.234.

Gammadyne is configured to use GoDaddy's smtp servers which are smtpout.secureserver.net.  I program my username and password and everything seems to works fine.  The problem is that virtually none of the emails are making it through.  I am getting a 30% bounce back rate with errors referring to mail loops.  I think the problem is caused by my domains' spf1 record.  It currently reads as follows:

v=spf1 mx include:secureserver.net -all

I think this means that any emails from secureserver.net are fine, but emails coming from anywhere else are bad.  I came across the "Sample Sender Policy Framework (SPF) Lookup" email tool at myiptest.com.  When I run the test I get the following error:

Received-SPF: fail (domain of mydomain.net does NOT designate 99.99.99.234 as permitted sender) client-ip=99.99.99.234

I think this is causing the email to be treated as SPAM or to get caught in an endless loop.  I want to modify the spf1 record to designate my IP address as legitimate.  GoDaddy has a tool that generates the spf1 record - but they cannot give me advice how to use it.  Using the tool, I came up with  the following:

v=spf1 a mx ptr mx:smtp.secureserver.net mx:mailstore1.secureserver.net ip4:99.99.99.234 ~all

After waiting 30 minutes I used the SPF lookup tool again and received a passing mark:  

Received-SPF: pass (Domain of mydomain.net designates 99.99.99.234 as permitted sender) client-ip=99.99.99.234

Does my new code seem right to you?  (The tool suggested that I add ptr in the code.)  Is there anything else in terms of delivery I need to be aware of to avoid mail loops or other delivery problems?

Thanks for any suggestions!!

Chip
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2004

Commented:
What your original SPF record v=spf1 mx include:secureserver.net -all  means is that any , and only, servers listed in the mx records for secureserver.net are OK. Your second one works because you're listing their servers specifically and then adding your own. So this would work too:
v=spf1 ip4:99.99.99.234 include:spf.secureserver.net -all

Does your domain list MX records?

Also, note another difference between your first record and the last one you posted: You are using -all in the first one and ~all in the 2nd. ~ means that you should accept mail from anyone although that might change at any time. - means that ONLY the listed servers are valid. So if you used your original record but just used the ~ instead, it should have passed.
Top Expert 2004

Commented:
If you have MX records listed, what are they? If they are the Go Daddy servers then simply add your own server 99.99.99.234 to the list and the simpler record should work.
MrChip2President

Author

Commented:
Hi Mike,

Thanks for your help!  I was just about to launch a campaign with the modified SPF - but have noticed that my test email that I send to myself goes to my Junk folder in Outlook.  Could the SPF record be causing this?

I never noticed that the -all on the first changed to ~all.

To answer your question, I have two MX records under the domain:

mailstore1.secureserver.net has priority of 10
smtp.secureserver.net has priority of 0

interesting, I do not see smtpout.secureserver.net which is the server I log into.

Are you suggesting I add my IP address to the MX record?
Top Expert 2004
Commented:
If you send and receive mail from your domain from that address, you should add it. If you only send mail from there but can't receive, you could put it in anyway with a low priority so that if someone tries to send mail there, it's only because there was no other server to receive it anyway.

Essentially, make sure that any servers from which receive mail from outside are listed as MX records because that's who other servers contact when there's mail to be sent. You can list anyone there whether they are in your own domain or not. SPF is using that same information to determine whether or not the sender is a legiticate source.

The spf record isn't causing Outlook to label it as junk directly, but if the sender isn't listed as an MX record, it looks like it's spoofed. I suspect that if you add your server as an MX record it will clear up.
MrChip2President

Author

Commented:
Mike - we are almost done. :)  I typed a long follow-up before I saw your post.

Is it OK to add my IP address of 99.99.99.234 to the MX record?

When I do a DNS lookup on my IP I get the following:

rrcs-99-99-99-234.west.biz.rr.com.  Should I put the rrcs in the MX record or simply the IP address?

How long does it take for this to take affect?  How can I tell it is active?
MrChip2President

Author

Commented:
Mike,

Here is the follow-up I was about to send before your last post:

*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *

Hello Mike,

I have some more info.  If possible, I would rather not mess with the MX record.  I have read that it is not a good idea to put an IP address there and I am working on a short time frame to send out these emails.

I was all set to send them out except for the fact that Outlook treated it as Junk.  I cannot see why this is happening because the email is very plain and does not have any obvious SPAM words.

Here are my questions:

1).  Is my SPF record fine as it is?  

2) What about the "a" that I added?  Would it be better to remove it?

3) Should I keep the "ptr"?

4) Should I change the tilde ~all to a minus -all?

5) What do you think of the following as a simple record - would this work?

v=spf1 mx include:secureserver.net ip4:99.99.99.234 -all

I know DNS changes can take 24-48 hours to propagate the internet.  Is the same true for SPF changes?  Is the SPF information stored on various servers around the world or is it just on GoDaddy's servers?  In the past it appears changes to SPF records go online in 30 minutes or so.  Is that possible?

Thanks so much for your help!
Top Expert 2011

Commented:
What your original SPF record v=spf1 mx include:secureserver.net -all  means is that any , and only, servers listed in the mx records for secureserver.net are OK.
Actually the mx mechanism is not related to the include.  The mx mechanism says the MX records for the domain of the overall SPF record are able to send, not the MX's of secureserver.net.  If he had "mx:secureserver.net" that would be a different story.

The spf record isn't causing Outlook to label it as junk directly, but if the sender isn't listed as an MX record, it looks like it's spoofed. I suspect that if you add your server as an MX record it will clear up.
The sending server most definitely does not need to be listed as an MX for the domain.

I'm not sure why you are sending from that 99.x IP if your server is configured to use SMTP via GoDaddy, but apparently something else is happening.  If you want GoDaddy to send from your domain along with the 99.x IP, make the record like this, no need for the A or PTR mechanisms:
"v=spf1 ip4:99.99.99.234 include:secureserver.net -all"

Open in new window


I know DNS changes can take 24-48 hours to propagate the internet.  Is the same true for SPF changes?  Is the SPF information stored on various servers around the world or is it just on GoDaddy's servers?  In the past it appears changes to SPF records go online in 30 minutes or so.  Is that possible?
There is no magic 24-48 hours propagation time, that is just something service providers tell their customers so they don't complain about not getting immediate results.  All that matters is the TTL of the existing record.  If your TTL before the change was 300 (5 minutes) then all RFC compliant resolvers will have your new record in 5 minutes.  Keep in mind some large providers like Hotmail cache SPF results sometimes for up to 24 hours.
MrChip2President

Author

Commented:
Mike,

Thanks so much!  I will implement the change now and hope to test the new SPF in the next 10-15 minutes.  If it tests OK, I will launch the emails and close the question.  Would you mind checking back in about 15 minutes?

Thanks!
MrChip2President

Author

Commented:
The TTL is actually set to 1 hour :(  The shortest I can set it to is 1/2 hour,
Top Expert 2004

Commented:
1. It is for now, but if GoDaddy changes their mail servers then it won't be anymore. Better to just say "any servers from secureserver.net" since that's really your goal. But do verify that the MX records, which tell others where to send your incoming mail, are actually used for sending your outgoing mail. Otherwise use the individual servers that you know are correct.

2. I would take out the A because you're saying that any A record from secureserver.net is OK, and it isn't. You only want to check MX records plus the one you're adding.

3. According to spf.org: "If at all possible, you should avoid using this mechanism in your SPF record, because it will result in a larger number of expensive DNS lookups."

4. If those are the only servers that should be sending mail from your domain, yes.

5. Looks good.

In regards to your later/earlier question about adding the MX record, you can use the hostname or the IP but the host name is better as long as looking up the IP resolves to the host name and vice versa.

The records propagate like any other DNS record. It can take 24-48 hours globally but that doesn't mean that it will take that long to the place you're testing from.
Top Expert 2004

Commented:
Papertrip, thanks for the clarifications :-)
MrChip2President

Author

Commented:
Hello,

I have been running a few last minute SPF tests and came across one fail.  See the image below.  Do I need to also add these IP addresses to my list of allowed IPs, or is this just because I need to wait a little longer for everything to propagate.  Strange how both IP addresses are from secureserver.net - yet one passed an one failed. Failed DNSStuff Mail Server Test
Top Expert 2011
Commented:
That is because mailstore1.secureserver.net is not in the SPF record for secureserver.net.  I see that test is using the MX records for your domain.  The MX records are not related to sending.  As long as mailstore1.secureserver.net is not sending mail for you (sounds like an incoming SMTP server) then you do not need to include it in your SPF.  The error in that pic is misleading and incorrectly assumes a domains MX's are also their sending servers.

Use http://www.kitterman.com/spf/validate.html instead to test validity and syntax of a domains SPF record.
MrChip2President

Author

Commented:
Papertrip,

Thanks for pointing out the error of that test.  I have been using Kitterman as one of several test sites.  I did as you asked and received mixed results.  I think I passed the first and the third test, but failed the middle.  Here are screen shots of the three tests.  Did I do something wrong on the middle test?

I really appreciate your patience in helping me with this.  I need to get this straightened out this morning so I do not miss a deadline sending emails.  Part of me is tempted to just get rid of the SPF1 record completely.  (j/k mostly).  I hope this is something I am doing wrong and my record is fine.

Is there any way I could email you or private message you the actual domain info so you could test it?  I do not want to post it online for all to see.  
Kitterman Test 1 - Does my domain already have an SPF record? What is it? Is it valid?
Kitterman Test 2 - Is this SPF record valid - syntactically correct?
Kitterman Test 3- Test an SPF record
Top Expert 2004

Commented:
A suggestion for you so that you can continue to work on this while sending emails: Instead of -all, use ~all.  This tells servers to "soft fail" an invalid server: this means, pass you but mark the server as possibly not bing valid later. The benefit is that SPF testing will show you whether you should have passed or failed, without your mail being interrupted.

BTW I looked at our own SPF records, and we list 3 servers in 3 separate records, no MX records.
MrChip2President

Author

Commented:
Mike,

That is an interesting idea.  I am sending the emails to F500 companies.  Do you think a soft-fail will likely get rejected or routed to SPAM?  I will make the change now, wait a little  and test it out with a small sample.

Would it be possible to post your SPF records with any sensitive info redacted so I can see the format?  I did not know that you can have multiple records.
MrChip2President

Author

Commented:
Update - in the process of sending out 100 now.  I should have results in the next 30-60 minutes.  Fingers are crossed. :)
Top Expert 2004

Commented:
I don't know how you do this in GoDaddy, but in our BIND 9.7.x db file (our DNS server), we have 3 SPF records:
company.com.       IN      TXT     "v=spf1 mx include:service.differentcompany.com -all"
smtp1           IN      TXT     "v=spf1 a -all"
smtp2           IN      TXT     "v=spf1 a -all"

The first one is a contracted third party who sends out mail on our behalf.
MrChip2President

Author

Commented:
Thank you both for all of your help with this.  Since my last post I had the chance to talk to the developer of Gammadyne over the phone.  He pointed out two potential problems with my set-up:

1.  If you enter mydomain.net in your address bar, you get nothing but a timeout message.  This is because I do not have a website for this domain.  He said I should have a website with a fixed IP and be sure that my IP address resolves to the website on a reverse DNR search.

2. He also said it would be preferable if emails that come from user@mydomain.net used smtp servers that were on the same domain - such as smtp.mydomain.net.  This is not something that GoDaddy supports directly.  My contact said there are third party programs that I could upload to my future site that would let me domain act as an SMTP server.  He could not give me a specific name, however.

Based on this input, today I purchased a hosting plan and fixed IP from GoDaddy.  I will in the next day or two have a site online.  At that time, I may post a follow-up question to be sure I have my MX and SPF1 records correctly configured.  Since the settings will be different, I think it is fair to you two to close this thread as resolved.  If you are willing, please keep an eye out for a new question or two from me in the next day or so.  Thanks again!!

PS - all of your answers were helpful.  To make it easier, I selected one answer from each of you as the solution.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial