SPF Record not found

    I have a problem with the SPF record in 1.1.0 -rc4.7 Git Master version. To be more exactly, there is no SPF entry.
    I use External Mail Server Option and the OpenDkim plugin. If I check the bind file for that domain, I can see all the MX listed, also the Dkim Entry but no SPF.


    Anny suggestions?


    Thank you.

    Ok... I'll confirm this. If external mail feature is activated the SPF records are missing.
    Please wait for the answer of Nuxwin. Maybe he will have an answer for this. Otherwise you have to create a ticket.

    Quote from TheCry


    Ok... I'll confirm this. If external mail feature is activated the SPF records are missing.
    Please wait for the answer of Nuxwin. Maybe he will have an answer for this. Otherwise you have to create a ticket.


    Hello ;


    I'll check that today :D

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    SSH key for online support

    Edited once, last by Nuxwin ().

    And by the way, the spf server line, it should be included also the ip's of the external mail server configured.

    Quote from Delta04


    And by the way, the spf server line, it should be included also the ip's of the external mail server configured.


    sure :P SPF is not implemented for external mail server. I'll so add that.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    SSH key for online support

    http://trac.i-mscp.net/ticket/978#ticket

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    SSH key for online support
    Quote from Nuxwin

    sure :P SPF is not implemented for external mail server. I'll so add that.


    And by the way, for Subdomains the SPF record is also not created I have seen these days.

    Hello ;


    I'm currently working on the SPF records for the external mail servers. Because we don't know what are the IP of the external mail servers added by the customer (the customer must enter their hostnames only), and also because the A records for those external mail servers are out of zone, we can only use the MX mechanism. Even if It should be possible to process some extra DNS lookups to retrieve those IP while adding those DNS records, this is a waste of time in my opinion and too error-prone (think about possible wrong entry or temporary network problem and so on..)


    Therefore, the MX and SPF records, when using the external mail server feature, will look like this:


    Zone domain.tld (Customer domain)

    Code
    1. domain.tld. 10800 IN MX 5 ext1.mx-server.com.domain.tld. 10800 IN MX 10 ext2.mx-server.com.domain.tld. 10800 IN TXT "v=spf1 mx -all"domain.tld. 10800 IN SPF "v=spf1 mx -all"


    The related out of zone A records are:


    zone mx-server.com

    Code
    1. ext1.mx-server.com. 10800 IN A 192.168.5.122ext2.mx-server.com. 10800 IN A 192.168.5.123


    Here, an SPF check will give as result:


    Assuming that the mail server IP is 192.168.5.122 or 192.168.5.123, the check should pass:


    Code
    1. root@dev:/home/nuxwin# spfquery --ip 192.168.5.122 --sender [email protected] --helo wheezy.nuxwin.compassspfquery: domain of domain.tld designates 192.168.5.122 as permitted senderReceived-SPF: pass (spfquery: domain of domain.tld designates 192.168.5.122 as permitted sender) client-ip=192.168.5.122; [email protected]; helo=wheezy.nuxwin.com;


    Code
    1. root@dev:/home/nuxwin# spfquery --ip 192.168.5.123 --sender [email protected] --helo wheezy.nuxwin.compassspfquery: domain of domain.tld designates 192.168.5.123 as permitted senderReceived-SPF: pass (spfquery: domain of domain.tld designates 192.168.5.123 as permitted sender) client-ip=192.168.5.123; [email protected]; helo=wheezy.nuxwin.com;


    But it will fail for any other IP:


    Code
    1. root@dev:/home/nuxwin# spfquery --ip 192.168.5.124 --sender [email protected] --helo wheezy.nuxwin.com
    2. fail
    3. Please see http://www.openspf.org/Why?id=user%40domain.tld&ip=192.168.5.124&receiver=spfquery : Reason: mechanism
    4. spfquery: domain of domain.tld does not designate 192.168.5.124 as permitted sender
    5. Received-SPF: fail (spfquery: domain of domain.tld does not designate 192.168.5.124 as permitted sender) client-ip=192.168.5.124; [email protected]; helo=wheezy.nuxwin.com;


    Well, it's ok as long the IP address of the host, which is sending the mails using the god.com identity matches with the ip corresponding to the MX record. Now, if the MX belongs to an host which delegate its works to another server (wich is sending the mail using its own IP), this will probably fail. In such a case, the customer will have to add the correct SPF record by itself using the custom DNS feature..


    Note1: I'm talking only about SPF record for external mail servers there. ;)
    Note2: Using the 'a' mechanism such as: a:ext1.mx-server.com should also work but it's useless in my opinion. I should process further tests.


    Question: Should we use softfail ??? ---> ~all

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    SSH key for online support

    Edited once, last by Nuxwin ().

    Quote from Nuxwin


    Hello ;


    I'm currently working on the SPF records for the external mail servers. Because we don't know what are the IP of the external mail servers added by the customer (the customer must enter their hostnames only), and also because the A records for those external mail servers are out of zone, we can only use the MX mechanism. Even if It should be possible to process some extra DNS lookups to retrieve those IP while adding those DNS records, this is a waste of time in my opinion and too error-prone (think about possible wrong entry or temporary network problem and so on..)


    You could add an extra entry field, when external mail is activated, so that the user can input by hand the IP address.


    Quote


    Question: Should we use softfail ??? ---> ~all


    fail is "-all" which means if it doesn't come from any of the assigned IP's or MX its fake and do not trust it.
    softfail is "~all" which means that your domain can still be spoofed because most email servers allow mail to still go through with that error.


    For the moment I'll go with the ~all (softfail).

    Edited once, last by Delta04 ().

    Quote from Delta04


    You could add an extra entry field, when external mail is activated, so that the user can input by hand the IP address.


    Too much work. We are in freeze state and anyway, the "a" mechanism should be sufficient


    Quote from Delta04


    fail is "-all" which means if it doesn't come from any of the assigned IP's or MX its fake and do not trust it.
    softfail is "~all" which means that your domain can still be spoofed because most email servers allow mail to still go through with that error.


    For the moment I'll go with the ~all (softfail).


    I know the difference but in my opinion, usage of softfail is ridiculous because this mean that even if we add the SPF record, the mail can still be forged...

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    SSH key for online support

    Edited once, last by Nuxwin ().