Spf softfail in gmail

I need to add a spf record to avoid spoofing and I use register.com as dns provider. They told me to add the following into the txt record.

@     "v=spf1 include:spf.registeredsite.com ~all"

I did that. When I sent a test mail to my gmail account, the mail went through but the header showed me it is has a softfail and the error message is as following:

pf=softfail (google.com: domain of transitioning me@mysite.com does not designate 192.168.0.1 as permitted sender) smtp.mailfrom= me@mysite.com;

For your information, my A record is the following:

*.mysite.com        10.10.0.1     <- webserver
mail.mysite.com      192.168.0.1   <- emailserver

Note: Please pardon the email address and ip addresses in this post are not real for security reason.
johnyu1997Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jackie ManIT Manager Commented:
You need to create a new TXT record and add that specific IP (say 192.168.0.1) as a permitted sender.

The TXT record will look something like this:

“v=spf1 ip4:192.168.0.1 ~all”

Source: http://www.x-pose.org/2013/10/22/how-to-designate-an-ip-address-as-permitted-sender/
johnyu1997Author Commented:
What is v=spf1 include:spf.registeredsite.com ~all for?  Do I need to delete it?
johnyu1997Author Commented:
Can I use v=spf1 include:mail.mysite.com ~all instead then I don't have to mess with the ip address?
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

Dr. KlahnPrincipal Software EngineerCommented:
Side note:  Unless you have a static IP, an ongoing valid SPF is problematic.  I found a better solution is to send through an SMTP relay service such as SMTP2Go and use the relayer's outgoing IP address / CIDR block in my SPF record.

Then you have solid and valid SPF, plus the relaying MTA usually does spam-checking on the outgong messages to make sure that they (a) aren't and (b) don't look like spam.  Most relayers will relay a couple thousand messages a month for free, and for a few fractions of a cent above that.
btanExec ConsultantCommented:
There is a need to add the mail server IP to the TXT record and like the below is assuming I am using railgun as my email server. For you case is mysite.com.

v=spf1 ip4:xxx.xxx.xxx.xxx include:mailgun.org ~all

Likewise, if you are sending using a Gmail address, you should send using the Gmail SMTP servers. So, if you are sending using a Gmail address, you should send using the Gmail SMTP servers.
Dr. KlahnPrincipal Software EngineerCommented:
... and (side issue again) choose a relaying MTA carefully, and before you sign on with them go out and goofle around to see if that MTA has a reputation as a spam source.  For example (nudges and winks at btan) over the past few years I've seen so much spam emanating from mailgun CIDR blocks that I perma-blocked them all using iptables.
Mal OsborneAlpha GeekCommented:
"What is v=spf1 include:spf.registeredsite.com ~all for?  Do I need to delete it?"

The Include  mechanism means to look up the SPF record of another domain, and add their allowed mail senders to yours. If you use registeredsite.com's mail servers, then this is one way to ensure that mail from your domain is allowed. That way, if registeredsite.com changes the IPs of their outgoing mail servers, you don't need to do anything.

If you don't use registeredsite.com's email servers, then you should not have include:spf.registeredsite.com there.

"Can I use v=spf1 include:mail.mysite.com ~all instead"
No. That would be saying use the SPF record for your own domain, which would probably be a recursive loop.
If you send and receive email on the same IP, you can use the MX mechanism, this means that email can be expected to be sent from the same IP address it arrives on. In that case, your record might read "v=spf1 MX:mysite.com ~all"


You might also want to end the SPF record with -all rather than ~all, once it is all confirmed OK.  ~all is a "softfail", meaning that you are still configuring and testing SPF, and it should be ignored for now. -all means email from IPs other then those already covered is expected to be spam.  


The format of an SPF record is not all that complex, if you follow the links below you can probably make sense of it all.

https://en.wikipedia.org/wiki/Sender_Policy_Framework
http://www.openspf.org/

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
You'd think this would be simple. More complex that you might imagine.

Provide your actual domain name + someone can test your SPF + DKIM + DMARC records for you.

Better to test + know, then guess.
johnyu1997Author Commented:
Thank you to Mal Osborne!  Perfect solution and well explained.
johnyu1997Author Commented:
Thank you to Mal Osborne!  Perfect solution and well explained.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
AntiSpam

From novice to tech pro — start learning today.