View All Products
Compute
Storage
Databases
Networking
Developer Tools
Delivery
Security
Services
Industries
Pricing
Community
Engage With Us
Community Questions Proper TXT record for domain and gmail server.
Log in to Ask a Question

Proper TXT record for domain and gmail server.

email

On emails sent from phpMailer through gmail I'm getting:

Received-SPF: none (domain of oiyc.org does not designate permitted sender hosts)

In my TXT record I have:

Name: google Value: v=spf1 include:_spf.google.com ~all

Name: oiyc Value: v=spf2 include:spf.oiyc.org ~all

OR would this be better?

v=spf1 include:_spf.google.com include:spf.oiyc.org ~all

host -t TXT oiyc.org

oiyc.org has no TXT record.

I have entries for DKIM that are working and the gmail connection works (or it did)

19 Replies

I think your Name value is wrong.

For example, in a typical scenario, you have a linode server that has its own hostname and domain, including a website. So that looks like:

* example.tld (example domain)

  • myserver.example.tld (fully qualified domain name, of the server "myserver")

  • www.example.tld (website)

so, the server "myserver", hosts the website "www.example.tld" and has a FQDN for itself as myserver.example.tld

in the above example, you need 3 SPF entries:

* Name: Value: v=spf1 a mx include:_spf.google.com include:spf.oiyc.org ~all 

  • Name: myserver        Value: v=spf1 a mx -all

  • Name: www Value: v=spf1 -all

Notice how in the first point, Name for the domain is empty, this covers emails like whatever@example.tld. The second point covers emails like whatever@myserver.example.tld, these are real emails generated by your own server (like cron emails). The third point covers emails like whatever@www.example.tld, which I block completely since I never want emails like that to ever exist.

More details can be found in an older post here.

OK that was helpful but I'm confused about what "myserver" needs to be. Would that be the domain name oiyc.org? Or would it be the hostname.

No, it won't be the domain itself, its just the hostname of the server (without the domain part), which is why I named it "myserver".

If you run the following:

# hostname

or

# cat /etc/hostname

You should get the hostname of your server, in its FQDN format (Fully Qualified Domain Name), that looks like:

myserver.example.tld

(the hostname is "myserver", the domain is "example.tld")

If you don't get something like that, then maybe your server isn't properly configured or you are not running a Linux distro that I am familiar with.

The point I am trying to make, is that the linode server is not named as your domain only (not oiyc.org). It should have a unique identifier, like server1.oiyc.org, so the domain may have multiple servers like server2.oiyc.org, server3.oiyc.org, whatever.oiyc.org, so on and so forth.

@IfThenElse:

If you run the following:

# hostname

or

# cat /etc/hostname

You should get the hostname of your server, in its FQDN format (Fully Qualified Domain Name), that looks like:

myserver.example.tld

(the hostname is "myserver", the domain is "example.tld")

No you will not. /etc/hostname only contains the hostname.

http://man7.org/linux/man-pages/man5/hostname.5.html

Ran #hostname and got localhost back. Found that the hostname file was blank. I set that name to "scotthill2" and rebooted. So now the

hostname command gives scotthill2

Then I put the TXT record to:

Name: scotthill2

Value: v=spf1 a mx -all

Also, I removed the Name: google from the record as in:

Value: v=spf1 include:_spf.google.com include:oiyc.org ~all

Then after a 20 minute wait I get:

root@scotthill:/# host -t TXT oiyc.org

oiyc.org descriptive text "v=spf1 include:_spf.google.com include:oiyc.org ~all"

Then I sent a test message from my server and i got:

Subject: A different sort of test 123ef

SPF: PASS with IP 209.85.220.65 Learn more

DKIM: 'PASS' with domain oiyc-org.20150623.gappssmtp.com Learn more

That is what I wanted. Thanks

@dubidubno, in CentOS the /etc/hostname file contains the FQDN.

@rebrunius, I'm glad it worked, but I'm curious about your SPF record, you mention that its:

v=spf1 include:_spf.google.com include:oiyc.org ~all

1) why is it missing an "mx" ?

2) why does it mention itself "include:oiyc.org"?

In theory, it should mention your A and MX records, so this looks more suitable:

v=spf1 a mx include:_spf.google.com ~all

a = myself

mx = my main exchange (probably also myself, but it could be a foreign email server)

include = include google.com servers, gmail, etc.

or maybe I didn't quite understand your setup.

I'm going to try that v=spf1 a mx include:_spf.google.com ~all.

The original version: v=spf1 include:_spf.google.com ~all I had got from google help files.

So the working TXT record now is:

Name                                    Value                  
                                             v=spf1 include:_spf.google.com include:oiyc.org ~all
scotthill2                                v=spf1 a mx -all
mainkey._domainkey               k=rsa; p=*****
_domainkey                            o=~; r=membership@oiyc.org

And your suggestion is:

Name                                    Value                  
                                             v=spf1 a mx include:_spf.google.com ~all
scotthill2                                v=spf1 a mx -all
mainkey._domainkey               k=rsa; p=*****
_domainkey                            o=~; r=membership@oiyc.org

Yes that should cover more cases and its a valid SPF record.

Essentially, you have:

example@oiyc.org = allow from my own server, my MX and google

example@scotthill2.oiyc.org = allow from my own server only and my MX

the second is good because it allows things like "cron" to send emails as "root@scotthill2.oiyc.org", based on your /etc/aliases

if your server has a web server for serving a www subdomain, then you also need a record for the www. Since we don't usually want emails from @www.oiyc.org, it is best to block such emails via SPF with the record "v=spf1 -all". If you don't have such a subdomain then ignore that.

Next step: set up a DMARC record.

What do you make of this?

I received this message from someone looking at my DNS record. I guess I need to populate the mx and a records with something?
> The record for 'scotthill2.oiyc.org' is also broken, but not so badly.

$ >>> dig +short -t txt scotthill2.oiyc.org

"v=spf1 a mx -all"

$ >>> dig +short -t a scotthill2.oiyc.org

$ >>> dig +short -t mx scotthill2.oiyc.org

$ >>>

The scotthill2 record says something like "accept mail from any IP

listed in an 'A' record listed for 'scotthill2.oiyc.org' and any Mail

eXchanger (MX) listed for 'scotthill2.oiyc.org'". However no such

records exist; as you can see in the above cut-and-paste, the replies

to my queries for the records are empty.

@IfThenElse:

Yes that should cover more cases and its a valid SPF record.

Essentially, you have:

example@oiyc.org = allow from my own server, my MX and google

example@scotthill2.oiyc.org = allow from my own server only and my MX

the second is good because it allows things like "cron" to send emails as "root@scotthill2.oiyc.org", based on your /etc/aliases

if your server has a web server for serving a www subdomain, then you also need a record for the www. Since we don't usually want emails from @www.oiyc.org, it is best to block such emails via SPF with the record "v=spf1 -all". If you don't have such a subdomain then ignore that.

@rebrunius:

What do you make of this?

I received this message from someone looking at my DNS record. I guess I need to populate the mx and a records with something?

The a record should contain the IPv4 address of scotthill2.

The mx record should contain the FQDN of the host that accepts mail for scotthill2.oiyc.org.

Now that I removed the include:oiyc.org from the value as below:

v=spf1 include:_spf.google.com include:oiyc.org ~all

now the email I send is back to having this in it:
> Received-SPF: None (protection.outlook.com: oiyc.org does not designate permitted sender hosts)
and the host command from console as in

~# host -t TXT oiyc.org
>> oiyc.org has no TXT record

@dubidubno:

The a record should contain the IPv4 address of scotthill2.

The mx record should contain the FQDN of the host that accepts mail for scotthill2.oiyc.org.
I added the a record. I have a number of mx records for the gmail server. They are the ones that receive email for my addresses. My server does not receive any email. I'm trying to set it up so that I can send a decent email that doesn't get dropped in spam boxes. What follows is the DNS configuration currently.

![](" />

I can spot two errors:

You have specified that scotthill2.oiyc.org handles mail for oiyc.org, and you have set an spf record for google.oiyc.org. there is no spf record for just oiyc.org .

@dubidubno:

I can spot two errors:

You have specified that scotthill2.oiyc.org handles mail for oiyc.org, and you have set an spf record for google.oiyc.org. there is no spf record for just oiyc.org .

Which line specified that scotthill2.oiyc.org handles mail for oiyc.org ?

Is that incoming or out going? scotthill2.org does not handle mail, google does.

How do I add an spf record for just oiyc.org?

You didn't follow my advice above, the Name field must be empty when you want to match the domain.

Here is what you should have:

![](" />

scotthill2.oiyc.org does not have any mx records, so in my opinion the txt record for scotthill2 should be "v=spf1 a -all". Since scotthill2.oiyc.org is not supposed to receive any outside mail, it doesn't need mx records.

@dubidubno, correct, I missed that one. The server FQDN does not need the "mx".

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct