Spf softfail in gmail

johnyu1997
johnyu1997 used Ask the Experts™
on
I need to add a spf record to avoid spoofing and I use register.com as dns provider. They told me to add the following into the txt record.

@     "v=spf1 include:spf.registeredsite.com ~all"

I did that. When I sent a test mail to my gmail account, the mail went through but the header showed me it is has a softfail and the error message is as following:

pf=softfail (google.com: domain of transitioning me@mysite.com does not designate 192.168.0.1 as permitted sender) smtp.mailfrom= me@mysite.com;

For your information, my A record is the following:

*.mysite.com        10.10.0.1     <- webserver
mail.mysite.com      192.168.0.1   <- emailserver

Note: Please pardon the email address and ip addresses in this post are not real for security reason.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Jackie Man IT Manager
Top Expert 2010

Commented:
You need to create a new TXT record and add that specific IP (say 192.168.0.1) as a permitted sender.

The TXT record will look something like this:

“v=spf1 ip4:192.168.0.1 ~all”

Source: http://www.x-pose.org/2013/10/22/how-to-designate-an-ip-address-as-permitted-sender/

Author

Commented:
What is v=spf1 include:spf.registeredsite.com ~all for?  Do I need to delete it?

Author

Commented:
Can I use v=spf1 include:mail.mysite.com ~all instead then I don't have to mess with the ip address?
PMI ACP® Project Management

Prepare for the PMI Agile Certified Practitioner (PMI-ACP)® exam, which formally recognizes your knowledge of agile principles and your skill with agile techniques.

Dr. KlahnPrincipal Software Engineer

Commented:
Side note:  Unless you have a static IP, an ongoing valid SPF is problematic.  I found a better solution is to send through an SMTP relay service such as SMTP2Go and use the relayer's outgoing IP address / CIDR block in my SPF record.

Then you have solid and valid SPF, plus the relaying MTA usually does spam-checking on the outgong messages to make sure that they (a) aren't and (b) don't look like spam.  Most relayers will relay a couple thousand messages a month for free, and for a few fractions of a cent above that.
btanExec Consultant
Distinguished Expert 2018

Commented:
There is a need to add the mail server IP to the TXT record and like the below is assuming I am using railgun as my email server. For you case is mysite.com.

v=spf1 ip4:xxx.xxx.xxx.xxx include:mailgun.org ~all

Likewise, if you are sending using a Gmail address, you should send using the Gmail SMTP servers. So, if you are sending using a Gmail address, you should send using the Gmail SMTP servers.
Dr. KlahnPrincipal Software Engineer

Commented:
... and (side issue again) choose a relaying MTA carefully, and before you sign on with them go out and goofle around to see if that MTA has a reputation as a spam source.  For example (nudges and winks at btan) over the past few years I've seen so much spam emanating from mailgun CIDR blocks that I perma-blocked them all using iptables.
"What is v=spf1 include:spf.registeredsite.com ~all for?  Do I need to delete it?"

The Include  mechanism means to look up the SPF record of another domain, and add their allowed mail senders to yours. If you use registeredsite.com's mail servers, then this is one way to ensure that mail from your domain is allowed. That way, if registeredsite.com changes the IPs of their outgoing mail servers, you don't need to do anything.

If you don't use registeredsite.com's email servers, then you should not have include:spf.registeredsite.com there.

"Can I use v=spf1 include:mail.mysite.com ~all instead"
No. That would be saying use the SPF record for your own domain, which would probably be a recursive loop.
If you send and receive email on the same IP, you can use the MX mechanism, this means that email can be expected to be sent from the same IP address it arrives on. In that case, your record might read "v=spf1 MX:mysite.com ~all"


You might also want to end the SPF record with -all rather than ~all, once it is all confirmed OK.  ~all is a "softfail", meaning that you are still configuring and testing SPF, and it should be ignored for now. -all means email from IPs other then those already covered is expected to be spam.  


The format of an SPF record is not all that complex, if you follow the links below you can probably make sense of it all.

https://en.wikipedia.org/wiki/Sender_Policy_Framework
http://www.openspf.org/
David FavorFractional CTO
Distinguished Expert 2018

Commented:
You'd think this would be simple. More complex that you might imagine.

Provide your actual domain name + someone can test your SPF + DKIM + DMARC records for you.

Better to test + know, then guess.

Author

Commented:
Thank you to Mal Osborne!  Perfect solution and well explained.

Author

Commented:
Thank you to Mal Osborne!  Perfect solution and well explained.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial