Sunday, June 28, 2015

domain name system - SPF record when sending mails from two different IPs





  1. I have somedomain.com on IP 1.1.1.1


  2. I send/receive mail using Outlook connecting to mail.somedomain.com




So my DNS records for somedomain.com are the typical:



www.somedomain.com >>> A >>> 1.1.1.1
somedomain.com >>> A >>> 1.1.1.1
somedomain.com >>> MX >>> mail.somedomain.com
mail.somedomain.com >>> A >>> 1.1.1.1



But I also send some mails (using directly PHP mail function) from another server that is on anotherdomain.com and IP 2.2.2.2



I tried to setup SPF record using Microsoft wizard (the old days Open SPF wizard does NOT work anymore)



The SPF created by the wizard is this:



v=spf1 a mx ip4:1.1.1.1 mx:mail.somedomain.com ip4:2.2.2.2 -all



But I get some mails returning back when sent from 2.2.2.2 with the message: SPF Failed - not authorized message



Do you know what the right SPF value is for this scenario?





EDIT 1: as asked by Minsuk Song I post the SPF failed message



This message was created automatically by mail delivery software.


A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  private@tiscali.it
    SMTP error from remote mail server after MAIL FROM: SIZE=120379:
    host imp-3.mail.tiscali.it [213.205.33.247]: 550 5.1.0  SPF Failed - not authorized

------ This is a copy of the message, including all the headers. ------
------ The body of the message is 116808 characters long; only the first

------ 106496 or so are included here.

Return-path: 
Received: from mild by server081.mildfred.com with local (Exim 4.77)
(envelope-from )
id 1SRRp1-001a8D-8Z; Mon, 07 May 2012 13:34:07 -0400
To: 
Subject: ...





EDIT 2: as correctly noticed by nickgrim when I send mail from IP 2.2.2.2 I send them using an address that is on the somedomain.com (which is on IP 1.1.1.1). The reason I do this is that in case the mail gets rejected for any reason (as it happened) I get notified on an existing address .


Answer



At first, correct SPF record for your domain somedomain.com is...



somedomain.com. IN TXT "v=spf1 mx ip4:2.2.2.2 -all"


which means you will send mails only from your mail server (defined in MX record) mail.somedomain.com or a host with ip address 2.2.2.2.




And these mails should have somedomain.com in their "HELO" or "MAIL FROM" identity during mail transactions.



Marco, would you show the mail header that returned as authorization failed?


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...