email - Received-SPF: neutral

When I send emails from my application I am getting a spf neutral error. I have been working with Google and my hosting company, but none of them can figure it out. Below is my spf record.

"v=spf1 include:s920.tmd.cloud include:mx1.tmdhosting.com include:mx2.tmdhosting.com ip4:184.154.73.81 ip4:108.178.0.170 ip4:198.143.161.162 ip4: include:_spf.google.com ~all"

Below is a snip of the email meta data.

    ARC-Authentication-Results: i=1; mx.google.com;
       dkim=temperror (no key for signature) header.i=@holyfirepublishing.com header.s=default header.b=HRuHEiL6;
       spf=neutral (google.com: 108.178.0.170 is neither permitted nor denied by best guess record for domain of publisher@holyfirepublishing.com) smtp.mailfrom=publisher@holyfirepublishing.com
Return-Path: 
Received: from mx1.tmdhosting.com (mx1.tmdhosting.com. [108.178.0.170])

        by mx.google.com with ESMTPS id b67-v6si3713737ioj.9.2018.04.28.17.31.24
        for 
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sat, 28 Apr 2018 17:31:24 -0700 (PDT)
Received-SPF: neutral (google.com: 108.178.0.170 is neither permitted nor denied by best guess record for domain of publisher@holyfirepublishing.com) client-ip=108.178.0.170;
Authentication-Results: mx.google.com;
       dkim=temperror (no key for signature) header.i=@holyfirepublishing.com header.s=default header.b=HRuHEiL6;
       spf=neutral (google.com: 108.178.0.170 is neither permitted nor denied by best guess record for domain of publisher@holyfirepublishing.com) smtp.mailfrom=publisher@holyfirepublishing.com
Received: from [184.154.73.81] (helo=s920.tmd.cloud) by mx1.tmdhosting.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1fCaFP-0005U5-6t for test@holyfirepublishing.com; Sat, 28 Apr 2018 19:31:24 -0500

I can really use some help building my spf record.

Thanks in advance.

Answer

Your IN SPF "v=spf1 include:s920.tmd.cloud include:mx1.tmdhosting.com include:mx2.tmdhosting.com ip4:184.154.73.81 ip4:108.178.0.170 ip4:198.143.161.162 ip4: include:_spf.google.com ~all" has several problems.

• Use TXT instead of SPF (RFC 7208, 3.1).


• In general, you should avoid multiple includes as there is a maximum amount of DNS queries per SPF check. For the same reason, direct ip4 and ip6 directives are always the best.



• Here, you have includes that doesn't contain SPF records. They should probably use a mechanism, instead. Only "include" existing SPF records.


• You should list a server only once, preferably using ip4. As s920.tmd.cloud A 184.154.73.81, mx1.tmdhosting.com A 108.178.0.170 & mx2.tmdhosting.com A 198.143.161.162, the a mechanisms from the previous can be removed.


• The empty ip4: is a syntax error.


• While + for Pass is the default qualifier, I find it easier for beginners to use it to avoid confusion with the exists/include mechanisms and redirect/exp modifiers that doesn't have qualifiers.

We can assume you have the rest as you desire:

• The results suggests that at least the MX 108.178.0.170 is used for outgoing mail, so probably the three IP addresses are ok.



• The last include allows Gmail. Let's just assume you are using it for this domain.


• ~all soft fail for rest. I agree that you shouldn't use (hard) fail before you have more experience with SPF and can be sure it won't cause any problems.

Result:

IN TXT "v=spf1 +ip4:184.154.73.81 +ip4:108.178.0.170 +ip4:198.143.161.162 include:_spf.google.com ~all"