Linode Forum
https://forum.linode.com/

Linode DNS manager, spf and google apps
https://forum.linode.com/viewtopic.php?f=11&t=5820		 Page 1 of 2
Author:  adrian18w [ Mon Jul 19, 2010 4:46 am ]
Post subject:  Linode DNS manager, spf and google apps
Hello,

I read couple posts/threads explaining how to setup google apps and spf to work correctly. However, after making the changes and waiting couple days, the spf record seems to be wrong.

When I get an email this is in the headers:

Received-SPF: neutral (google.com: xxx.xxx.xx.xx is neither permitted nor denied by best guess record for domain of xyxyxyxy@xxxx.xxx) client-ip=xxx.xxx.xx.xx;
Authentication-Results: mx.google.com; spf=neutral (google.com: xxx.xxx.xx.xx is neither permitted nor denied by best guess record for domain of xyxyxyxy@xxxx.xxx) smtp.mail=xyxyxyxy@xxxx.xxx

My settings in the Linode DNS Manager for TXT Record are:
- Name: mail125
- Value: v=spf1 include:_spf.google.com ~all
- TTL: default

What can be wrong? Thanks :D
Author:  rsk [ Mon Jul 19, 2010 9:06 am ]
Post subject: 
~ is "undecided". That is, neither allow or deny. You probably want
Code:
v=spf1 include:_spf.google.com -all
if you want to allow only Google servers, or
Code:
v=spf1 include:_spf.google.com a -all
if you want to allow the server machine itself to send stuff directly (which you probably do, unless you have msmtp set to route all outgoing messages via Google).
Author:  adrian18w [ Mon Jul 19, 2010 10:27 am ]
Post subject: 
Ahhh, that would make sense, but it's odd that google recommended not to use the "-" in an spf record.

Thanks :D
Author:  Stever [ Mon Jul 19, 2010 1:00 pm ]
Post subject: 
adrian18w wrote:
Ahhh, that would make sense, but it's odd that google recommended not to use the "-" in an spf record.

Using "-" is dangerous as it will tell others to reject your messages if they come from anywhere but what you have specified in your SPF record. Even big players seem to be able to get their SPF records wrong, so I think google is just trying to minimize the damage when people make mistakes.

If you understand SPF well enough to be using the "-", then you probably should be confident enough to ignore a recommendation from google ;)
Author:  sleddog [ Mon Jul 19, 2010 1:14 pm ]
Post subject: 
~all means soft fail. -all is hard fail. With soft fail, when the spf test fails the receiving server may still accept the message.

If the spf record is correct, either should return an spf pass (as seen in the message headers).

I'm not sure about the Linode DNS manager, but sometimes it's necessary to enclose the TXT record in quotes, e.g.

"v=spf1 include:_spf.google.com ~all"
Author:  Stever [ Mon Jul 19, 2010 1:27 pm ]
Post subject:  Re: Linode DNS manager, spf and google apps
adrian18w wrote:
My settings in the Linode DNS Manager for TXT Record are:
- Name: mail125
- Value: v=spf1 include:_spf.google.com ~all
- TTL: default

What you have specified above will only apply to mail coming from user@mail125.yourdomain.com.

You want to leave the "Name" field blank in the linode DNS manager to make an SPF record for mail coming from user@yourdomain.com.
Author:  adrian18w [ Mon Jul 19, 2010 6:27 pm ]
Post subject: 
sleddog wrote:
~all means soft fail. -all is hard fail. With soft fail, when the spf test fails the receiving server may still accept the message.

If the spf record is correct, either should return an spf pass (as seen in the message headers).

I'm not sure about the Linode DNS manager, but sometimes it's necessary to enclose the TXT record in quotes, e.g.

"v=spf1 include:_spf.google.com ~all"


So really either using "-" or "~" shouldn't really cause a fail. There has to be a different source of a mistake. I have added the quotes.

Stever wrote:
adrian18w wrote:
My settings in the Linode DNS Manager for TXT Record are:
- Name: mail125
- Value: v=spf1 include:_spf.google.com ~all
- TTL: default

What you have specified above will only apply to mail coming from user@mail125.yourdomain.com.

You want to leave the "Name" field blank in the linode DNS manager to make an SPF record for mail coming from user@yourdomain.com.


As an extra precaution I have also left the "Name" field blank.

Thanks again for the hints. I shall post back the results :D
Author:  rsk [ Tue Jul 20, 2010 6:27 am ]
Post subject: 
All right, that'll hopefully teach me to re-check docs before posting... anyway, Linode DNS Manager automatically puts quotes around the TXT contents. If you put a pair of quotes in there manually, they'll end up INISIDE the record, as
Code:
"\"v=spf1 a mx -all\""

. And yes, I just tested it. Remove the quotes.

Heh, speaking of... there seems to be a bug afterwards... when I clicked Edit on the above record to remove the quotes, the value form field was empty... no idea if it's an escaping problem inside the manager or just a problem with Opera/10.10, but that's how it looked. The data was still there - the Remove option did display the entry - but the edit form shown empty value and let me overwrite it.
Author:  adrian18w [ Tue Jul 20, 2010 8:18 am ]
Post subject: 
rsk wrote:
All right, that'll hopefully teach me to re-check docs before posting... anyway, Linode DNS Manager automatically puts quotes around the TXT contents. If you put a pair of quotes in there manually, they'll end up INISIDE the record, as
Code:
""v=spf1 a mx -all""

. And yes, I just tested it. Remove the quotes.

Heh, speaking of... there seems to be a bug afterwards... when I clicked Edit on the above record to remove the quotes, the value form field was empty... no idea if it's an escaping problem inside the manager or just a problem with Opera/10.10, but that's how it looked. The data was still there - the Remove option did display the entry - but the edit form shown empty value and let me overwrite it.


Ok, thanks, quotes removed :)
Author:  jed [ Tue Jul 20, 2010 10:15 am ]
Post subject: 
rsk wrote:
no idea if it's an escaping problem inside the manager

Try again. It should be fixed.
Author:  rsk [ Tue Jul 20, 2010 12:05 pm ]
Post subject: 
jed wrote:
Try again. It should be fixed.

Indeed, it is... darn, I love Linode. :P
Author:  adrian18w [ Thu Jul 22, 2010 5:43 am ]
Post subject: 
Hmm, ok guys, now emails which I send from google apps work great, but when the server sends one, the email headers say " (server ip) is neither permitted nor denied by best guess record for domain of ... ".

So it seems that adding the "a" into the spf record doesn't verify the emails send by the server.

Should I add the server's ip : "ip4:xxx.xxx.xx.xxx" in the record?

Thanks.
Author:  Stever [ Thu Jul 22, 2010 9:51 am ]
Post subject: 
adrian18w wrote:
best guess record for domain of ... ".

When they say "best guess" it means that they didn't actually get your SPF record and they are making one up for you.

What domain did they say they were making a best guess for?
Author:  adrian18w [ Thu Jul 22, 2010 12:14 pm ]
Post subject: 
The server is setup under domain "xxxxxxxx.com" and the mail is send from "yyyyyyyy.com".
Author:  Stever [ Thu Jul 22, 2010 1:58 pm ]
Post subject: 
Each domain you send mail from needs to have an SPF record that includes all servers that may send mail for that domain.

If your setup is that mail from yyyyyyyy.com can originate either from google apps or the server foo.xxxxxxxx.com, then it seems like you want an SPF record in the yyyyyyyy.com zone that looks something like one of these:
Code:
v=spf1 a:foo.xxxxxxxx.com include:_spf.google.com ~all
v=spf1 ip4:a.b.c.d include:_spf.google.com ~all

Where a.b.c.d is the IP address of your server.

If you also send mail from the xxxxxxxx.com domain, then you need another SPF record for that zone.

And stick with the ~all until you get everything working right - once you are comfortable you can switch to -all if you want.

Can't help much more if you are going to keep the real details secret.
Page 1 of 2 All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/