Hello,

I read couple posts/threads explaining how to setup google apps and spf to work correctly. However, after making the changes and waiting couple days, the spf record seems to be wrong.

When I get an email this is in the headers:

Received-SPF: neutral (google.com: xxx.xxx.xx.xx is neither permitted nor denied by best guess record for domain of xyxyxyxy@xxxx.xxx) client-ip=xxx.xxx.xx.xx;
Authentication-Results: mx.google.com; spf=neutral (google.com: xxx.xxx.xx.xx is neither permitted nor denied by best guess record for domain of xyxyxyxy@xxxx.xxx) smtp.mail=xyxyxyxy@xxxx.xxx

My settings in the Linode DNS Manager for TXT Record are:
- Name: mail125
- Value: v=spf1 include:_spf.google.com ~all
- TTL: default

What can be wrong? Thanks

~ is "undecided". That is, neither allow or deny. You probably want

v=spf1 include:_spf.google.com -all

if you want to allow only Google servers, or

v=spf1 include:_spf.google.com a -all

if you want to allow the server machine itself to send stuff directly (which you probably do, unless you have msmtp set to route all outgoing messages via Google).

Ahhh, that would make sense, but it's odd that google recommended not to use the "-" in an spf record.

Thanks

Using "-" is dangerous as it will tell others to reject your messages if they come from anywhere but what you have specified in your SPF record. Even big players seem to be able to get their SPF records wrong, so I think google is just trying to minimize the damage when people make mistakes.

If you understand SPF well enough to be using the "-", then you probably should be confident enough to ignore a recommendation from google

~all means soft fail. -all is hard fail. With soft fail, when the spf test fails the receiving server may still accept the message.

If the spf record is correct, either should return an spf pass (as seen in the message headers).

I'm not sure about the Linode DNS manager, but sometimes it's necessary to enclose the TXT record in quotes, e.g.

"v=spf1 include:_spf.google.com ~all"

What you have specified above will only apply to mail coming from user@mail125.yourdomain.com.

You want to leave the "Name" field blank in the linode DNS manager to make an SPF record for mail coming from user@yourdomain.com.

So really either using "-" or "~" shouldn't really cause a fail. There has to be a different source of a mistake. I have added the quotes.



As an extra precaution I have also left the "Name" field blank.

Thanks again for the hints. I shall post back the results

All right, that'll hopefully teach me to re-check docs before posting... anyway, Linode DNS Manager automatically puts quotes around the TXT contents. If you put a pair of quotes in there manually, they'll end up INISIDE the record, as

"\"v=spf1 a mx -all\""

. And yes, I just tested it. Remove the quotes.

Heh, speaking of... there seems to be a bug afterwards... when I clicked Edit on the above record to remove the quotes, the value form field was empty... no idea if it's an escaping problem inside the manager or just a problem with Opera/10.10, but that's how it looked. The data was still there - the Remove option did display the entry - but the edit form shown empty value and let me overwrite it.

Ok, thanks, quotes removed

Try again. It should be fixed.

_________________
Disclaimer: I am no longer employed by Linode; opinions are my own alone.

Indeed, it is... darn, I love Linode.

Hmm, ok guys, now emails which I send from google apps work great, but when the server sends one, the email headers say " (server ip) is neither permitted nor denied by best guess record for domain of ... ".

So it seems that adding the "a" into the spf record doesn't verify the emails send by the server.

Should I add the server's ip : "ip4:xxx.xxx.xx.xxx" in the record?

Thanks.

When they say "best guess" it means that they didn't actually get your SPF record and they are making one up for you.

What domain did they say they were making a best guess for?

The server is setup under domain "xxxxxxxx.com" and the mail is send from "yyyyyyyy.com".

Each domain you send mail from needs to have an SPF record that includes all servers that may send mail for that domain.

If your setup is that mail from yyyyyyyy.com can originate either from google apps or the server foo.xxxxxxxx.com, then it seems like you want an SPF record in the yyyyyyyy.com zone that looks something like one of these:

v=spf1 a:foo.xxxxxxxx.com include:_spf.google.com ~all
v=spf1 ip4:a.b.c.d include:_spf.google.com ~all

Where a.b.c.d is the IP address of your server.

If you also send mail from the xxxxxxxx.com domain, then you need another SPF record for that zone.

And stick with the ~all until you get everything working right - once you are comfortable you can switch to -all if you want.

Can't help much more if you are going to keep the real details secret.