SPF record question

R

Red Squirrel

[H]F Junkie
Joined
Nov 29, 2009
Messages
9,217
I want to add SPF records to my mail server in hopes I will not get marked as spam as much because it seems every server is marking mail from that server as spam. Can't figure out why. I'm clean of all RBLs.

So I went to a site that generates the record and came up with this:

Code: 
mail.mysite.net. IN TXT "v=spf1 a a:mail.example.com a:mail.mysite.net ~all"

mail.mysite.net is my mail server. The mx record of all my domains points to that.

Do I add this record in the zone for mysite.net only or do I need to add this record in all my other zones too?

For example I use mail.example.com to send mail from myotherdomain.com, so do I need to add the SPF record on the zone for myotherdomain.com as well?
 
Where is your mailserver?
Are you running it at Home ISP, Business ISP, DataCenter, Colo'd Server etc?
Do you have Reverse DNS setup?
What reasoning is your email flagged as spam?
Have you seen any Message headers from flagged emails?
 
The mail server is leased at a data center. There are never any special headers, it just says spam. at work it says [BULK] (Barracuda) while gmail used to mark it as spam but now I think it learned, but that does not mean much as someone else with gmail would also end up in the spam folder.

The mail server is mail.iceteks.net. There is a reverse DNS setup as well. Even if I send from that server (ex: using the mail command) it gets marked as spam by most systems.
 
You'll want to analyze the header of an email that got makred as spam. Typically you'll find a clue as to why it was marked in that.
 
Is there a test email somewhere I can send an email to and it returns a result on any flags that would mark me as spam?

I guess I could ask the guys at work to check the barracuda logs too.
 
rDNS looks good, banner looks good, not an open relay, no blacklists


You really want an SPF record that works (the one you pasted doesn't) and a DKIM record if you're serious about sending mail more than like 10 messages a day.
Also, your SPF should be at the root of the domain like so:

(assuming you want to send/receive email at username@iceteks.net)
(assuming that mail.iceteks.net is the MX record for iceteks.net and is the only allowed sender for the domain)

Code: 
iceteks.net. IN TXT "v=spf1 mx ~all"
 
Last edited:
mxtoolbox tests seem to return ok.

Found an SPF test email and it fails the test.

How does the one you posted work? It does not have any allowed IP/hosts in it? In addition to sending from that server, I also send from my ISP's smtp server (replaced with mail.example.com)

Also what do I do for iceteks.com and my other domains, do I need to put a SPF record in all of those zones as well? That's the part I'm mostly confused about, if I need to do it for each zone or not.
 
Red Squirrel said:
mxtoolbox tests seem to return ok.

Found an SPF test email and it fails the test.

How does the one you posted work? It does not have any allowed IP/hosts in it? In addition to sending from that server, I also send from my ISP's smtp server (replaced with mail.example.com)
Click to expand...

the "mx" means the mx record is allowed to send mail.

you need to add "include:whateverthemailserverfortheisp.com" is as well to the SPF.

I see you already moved the SPF from the mail subdomain to the root.


Also what do I do for iceteks.com and my other domains, do I need to put a SPF record in all of those zones as well? That's the part I'm mostly confused about, if I need to do it for each zone or not.
Click to expand...

If you're using the mail.iceteks.net server as the MX record and to send mail (and the smtp server for the ISP), you can just use the same value for the TXT record for the other domains.

Each domain sending mail will probably want an SPF. Barracuda is ridiculously paranoid.
 
Ok cool, so does this look good?

iceteks.net. IN TXT "v=spf1 mx include:shared2.iceteks.net include:smtp1.symptaico.ca ~all"

(using actual values)

I should apply that same record to iceteks.com and all my other zones too though correct? Or is there a way I can refer to it so if I make a change I don't need to make it everywhere? Or does Bind support some kind of include directive where I can just put that line in a file separately? There's always the possibility that I add more domains in the future.

also can I replace those hostnames with IPs? It would probably cut down on the lookups.

Also is there any disadvantage to putting -all instead of ~all? That will be a deny instead of a softfail.
 
For the iceteks.net TXT record, use a:shared2.iceteks.net -- everywere else include:shared2.iceteks.net

you can only use a: if the target is in the same zone. include: has to be used for targets not in the same zone.

using IP versus name is the difference between one single lookup, which takes at most maybe half a millisecond of CPU time, and probably 100ms for the receiving server to check.

Bind doesn't doesn't do that sort of include directive, no.

These are the pitfalls of running your own DNS ... but .. come on, it's one TXT record :-p


oh, and check the spelling on sypatico.ca
 
Oh ok, so in iceteks.net I'd do

iceteks.net. IN TXT "v=spf1 mx a:shared2.iceteks.net include:smtp1.symptatico.ca ~all"

And the other zones else I'd do the same thing but use include instead of a?

And yeah I had noticed that typo and fixed it. In fact I need to double check if that's even the right host. It's where I send my mail to but it could be coming out somewhere else so I'll check that on my own some time.

Thanks for your help, I'm starting to learn more about this.
 
An SPF Record will help, but isn't necessarilly a cure-all. It sounds like you are stabbing in the dark for a solution before truly understanding the problem.

Find someone that has had a message from you flagged as spam. Have them open the message header and copy/paste it back to you. Typically in the header there will be evidence as to WHY that's specific message was flagged. Almost every Spam filter the message travels through will place its mark in the header, usually with an "X-" record. That will give you a specific reason why the message was flagged. There's many different Spam filters and each uses different records. You just have to decipher them. Below are just a few VERY Basic examples.

Examples of header info:

Code: 
[U]Postini's Filter:[/U]
X-pstn-levels:     (S: 0.00000/65.85084 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:95.5423 C:98.6951 )
Message-ID: <xxxxxxxxxxxxxxxxxxxxxxxxxxx@psmtp.com>
X-pstn-settings: 5 (2.0000:2.0000) S cv gt3 gt2 gt1 r p m c 
X-pstn-addresses: from <Sender@Sender'sDomain.com> forward (user good) [3523/138]
Code: 
[U]Exchange 2010's in-built AntiSpam:[/U]
X-MS-Exchange-Organization-AuthSource: LocalExchangeSvr
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-PRD: Sender'sDomain.com
X-MS-Exchange-Organization-SenderIdResult: Pass
Received-SPF: Pass (Exch2010.seagrp.local: domain of [email]Sender@Sender'sDomain.com[/email]
 designates SendingMailServerIP as permitted sender) receiver=LocalExchangeSvr;
 client-ip=SendingMailServerIP; helo=SendingMailServerHostName;
X-MS-Exchange-Organization-SCL: 0
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report: DV:3.3.10018.490;SID:SenderIDStatus Pass;OrigIP:SendingMailServerIP

Take a look at the headers that you are sent to determine WHY you were flagged as spam and concentrate on those reasons first.
 
Well SPF record is one thing that is needed and I never had, so I want to at least get that part down path and done right, and then go from there.
 
Yeah, unless your e-mail is FAILING an SPF check (which won't happen if you don't have a SPF record), SPF won't cause you spam classification issues. It's not a bad idea to have a record,but it probably won't fix the underlying issue.
 
Red Squirrel said:
Oh ok, so in iceteks.net I'd do

iceteks.net. IN TXT "v=spf1 mx a:shared2.iceteks.net include:smtp1.symptatico.ca ~all"

And the other zones else I'd do the same thing but use include instead of a?

And yeah I had noticed that typo and fixed it. In fact I need to double check if that's even the right host. It's where I send my mail to but it could be coming out somewhere else so I'll check that on my own some time.

Thanks for your help, I'm starting to learn more about this.
Click to expand...

You got it.

DNS is easy, DNS is sexy. :D
 
Cool glad to know I'm on the right track.

It turns out my ISP has quite a few outbound SMTP servers so I decided against this. Instead I just put my IP address in the relay allow list and I just relay my mail straight to my server. Kinda dirty, but it will do for now. I want to look at SMTP authentication in the future.

So if I add this for all my domains I should be good then right?:

v=spf1 mx ~all

I also ensured that postfix is sending email from the IP of the MX (multi IP server).

For some reason my work email is still marking mail from me as spam, but I'm starting to wonder if it's my work's filter that's the problem. s.
 
If it's all only going through the MX then that's fine.

Spam marking is going on for a different reason. It can be because they have no idea what they're doing, and I'm willing to bet that's it.

Good luck with it though. Getting corporate monkeys to change anything with email is worse than trying to cure cancer.
 
That's what I'm starting to think. Maybe they are checking against an RBL that no longer exists or something, I've heard that can cause issues especially if someone else picked up the domain and it resolves.

I'll setup a separate gmail and yahoo etc and test with those too, if it's just my work then I'm not really that worried, as long as I know that if I send out emails people actually get them.
 
Looks like I'm STILL getting blocked. what gives? This is getting retarded.

So I can't send any email to hotmail users apparantly, this is the bounceback I get:

Code: 
This is the mail system at host mail.iceteks.net.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to <postmaster>

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

                   The mail system

<leafman1611@hotmail.com>: host mx3.hotmail.com[65.55.37.120] said: 550 SC-001
    (COL0-MC4-F41) Unfortunately, messages from 96.45.178.190 weren't sent.
    Please contact your Internet service provider since part of their network
    is on our block list. You can also refer your provider to
    http://mail.live.com/mail/troubleshooting.aspx#errors. (in reply to MAIL
    FROM command)



Reporting-MTA: dns; mail.iceteks.net
X-Postfix-Queue-ID: 1424916B063C
X-Postfix-Sender: rfc822; *removed*iceteks.com
Arrival-Date: Thu,  7 Jul 2011 19:37:48 -0400 (EDT)

Final-Recipient: rfc822; *removed*
Original-Recipient: rfc822;*removed*
Action: failed
Status: 5.0.0
Remote-MTA: dns; mx3.hotmail.com
Diagnostic-Code: smtp; 550 SC-001 (COL0-MC4-F41) Unfortunately, messages from
    96.45.178.190 weren't sent. Please contact your Internet service provider
    since part of their network is on our block list. You can also refer your
    provider to http://mail.live.com/mail/troubleshooting.aspx#errors.

The section for 550 SC-001 says:

Code: 
Mail rejected by Windows Live Hotmail for policy reasons. Reasons for rejection may be related to content with spam-like characteristics or IP/domain reputation. If you are not an email/network admin please contact your Email/Internet Service Provider for help.

What?! What exactly would cause "spam like characteristics"? I setup SPF, reverse DNS, what else can I do?

Trying to find a contact for MS is like pulling teeth. Searched for about an hour to no avail, so I'm hoping it's just something I missed with the SPF record.
 
Thanks, I'll try that and see how it goes.

Is there some kind of master unblock list out there? How to the big companies that run their own mail servers do it? Do I really have to get manually get unblocked on every single server? I'm guessing the previous owner of my IP was a spammer or something.
 
Most use spamhaus or their service provider's block list. You're not in spamhaus so you're probably good for a big chunk or smtp servers.
 
Good to know, guess I just have to worry about the bigger guys like MS that might have their own setup.

Google seems to be accepting my mail now too. Hopefully I can now keep this record clean. I do have an occasional mail list I send out so hopefully if it happens to hit someone who no longer wants it, they'll unsubscribe and not report me.
 
man we had to implement a SPF record a year ago or so because we are using postini to scan our emails before getting to our mail server. Everything is working now though...
 
Yeah i'm not on any of the blacklists on mxtoolbox.

Though I just noticed something weird, do a mx lookup on mail.iceteks.net, and the result is basically the header section of the DNS record, instead of getting the IP. Seems kinda odd, wonder if I have a typo somewhere.
 
Because mail.iceteks.net isn't a subdomain, it's a host, so the DNS server returns the SOA record for iceteks.net. Your mx record for iceteks.net appears fine.
 
mxtoolbox.com returns an error as well. The A and MX are the same IP, is that maybe why?
 
The second one. iceteks.com and a few other domains too, but the MX for those domains also point to mail.iceteks.net.

Wait ok I see what you're saying, I'm suppose to lookup iceteks.net not mail.iceteks.net, when I do a MX lookup. Brain fart.
 
You must log in or register to reply here.
Back
Top