0

I'm pretty new to email server configuration, so now I'm trying to make my SPF work well but I'm facing a strange problem. My SPF is like this

v=spf1 +mx +a +ip4:xxx.xxx.xxx.xxx +include:_spf.google.com ~all

so with this we can send emails from our server and people who use Gmail to manage the email account can send too. But we have some people who use other mail client like Thunderbird, Outlook, etc. And when they send an email to someone who uses Gmail, sometimes it goes to Spam because Gmail says that the SPF does not allow that email. So I'll give an example. I use Thunderbird, when I send a message to a Gmail it accept with the log

spf=pass (google.com: domain of myemail@mydomain.com.br designates xxx.xxx.xxx.xxx as permitted sender)

The IP is from our server. And Here (in the same building, so the same IP) another person uses Outlook when send an email to Gmail it returns

Authentication-Results: mx.google.com;
       spf=softfail (google.com: domain of transitioning another@mydomain.com.br does not designate yyy.yyy.yyy.yyy as permitted sender) smtp.mailfrom=another@mydomain.com.br
Received-SPF: softfail (google.com: domain of transitioning another@mydomain.com.br does not designate yyy.yyy.yyy.yyy as permitted sender) client-ip=yyy.yyy.yyy.yyy;

So the point is, why is the email from another@mydomain getting our external IP and the myemail@mydomain getting the IP from the server if they are being sent from the same IP?

And how can I get around this, some people who use Outlook work in other places, and their emails go to Spam because SPF does not allow them. SPF apoint another IP, the external IP where the sender is, not the IP server like the myemail@mydomain.

I can put the IPs in the SPF key, but it does not make much sense because the IP can change, so I'll have to change the SPF key a lot of times.

I didn't find some config like the _spf.google.com for Outlook and Thunderbird...

Paul
  • 2,755
  • 6
  • 24
  • 35
Anderson Silvestre
  • 3
  • 3
  • 1
    can you clarify a few things: is G Suite hosting the domain? which smtp server this guy is using > "another person uses Outlook"? – 4snok Jul 11 '22 at 23:41
  • 1
    SPF just lists all hosts who are permitted to send mail on behalf of a domain. So, do you know *all* servers who send mail "from `something@mydomain.com.br`", and do you know all IP addresses they use for that? (Also let me to point out that this is independent on which client software you are using. All that matters is *which outbound servers* are configured.) – Nikita Kipriyanov Jul 12 '22 at 02:08
  • Hi, @4snok No. Our mail server is hosted in another place. They just use Gmail do send and receive emails, like other mail clients. And the SMTP is mail.mydomain.com.br so everybody uses the same stmp, but some of them go to spam, and others (like mine) doesn't go... – Anderson Silvestre Jul 12 '22 at 13:38
  • @NikitaKipriyanov the Outbound server, is somehow the SMTP configuration right? So if it is, everyone uses the mail.mydomain.com.br with the port 587, and it's strange because if everybody uses the same configuration why are they getting blocked... and sometimes the same person gets blocked and other times doesn't. Sending from the same mail configuration. – Anderson Silvestre Jul 12 '22 at 13:59
  • Pefrect, you already know what your outbound server is. Now you should go *to the server* and examine which IP address gets used when it sends mail outside. Usually, the server has one or few public IP addresses, or it is behind some NAT gateway which has one or few public IP addresses. To not to think much, I'd add all of them into SPF. Also, if you use a smarthost, add *its* outbound IP addresses (consult with admins of your smarthost which ones). – Nikita Kipriyanov Jul 12 '22 at 15:57
  • And, if you don't have public IP addresses and/or don't know if you have one, **do not run email server or use a smarthost for all outbound mail**. This is not to insult you — just the matter of fact, you absolutely need to have a static public IP address (with reverse DNS record configured) to run email server which talks with servers other than the smarthost. – Nikita Kipriyanov Jul 12 '22 at 15:59
  • Ok I think I understand what you're saying, so (sorry if I'm answering wrong) We have a public Ip that we send the emails is the xxx.xxx.xxx.xxx that is in the post. So when someone sends an email from outside (I think this outside is both from outside of the build that I'm and from the same IP or mail server) So it gets the IP from where they are like zzz.zzz.zzz.zzz or vvv.vvv.vvv.vvv. And only Gmail takes the emails to Spam, Outlook and Thunderbird don't do that. – Anderson Silvestre Jul 12 '22 at 18:28
  • The exact behaviour of the receiving side is *not stricly defined*. You set up SPF, DKIM and DMARC policies, *hoping* that receiver will check them and if message doesn't pass checks it will discard it or at least pessimizate its spaminess score. SPF is only your *suggestion*; receiver has full power to follow your suggestions, or to reject all messges from your domain, or accept all of them; nobody knows *what exactly* will receiver do with messages and nobody can force them to follow a certain policy. – Nikita Kipriyanov Jul 14 '22 at 08:28

1 Answers1

2

IP address is not listed in the SPF record found in the DNS, which can be a reason why SPF authentication fails for your email. Open the email and check the email header.

View internet message headers in Outlook (microsoft.com)

Then implement SPF by publishing it on your DNS.

Aaron
  • 359
  • 4
  • Hi, so this can resolve my problem for a while, but if for some reason the sender changes the IP address I'll have to change the SPF config too. And this is not very good, because I read that it takes about 48 hours to work properly. – Anderson Silvestre Jul 12 '22 at 14:09
  • Any update about this issue? If the issue has been solved. Please do not forget to mark helpful reply as the best answer. Thanks! – Aaron Jul 18 '22 at 09:50
  • So I have no news about this. I didn't find a way to get it done. But I'm searching for some Outlook records to put in the SPF key because to use Gmail I have the `_spf.google.com` and for outlook, it seems to have the `spf.protection.outlook.com` but on the Microsoft site, they say that this record works with the Microsoft 365 and I use the older versions like Outlook 2010 and 2016. Idk if it works. – Anderson Silvestre Jul 21 '22 at 13:07
  • If the record works on M365, it should works fine with Outlook 2010 and 2016. Cause the account is 365 account, and the client has nothing to do with the outlook client. – Aaron Jul 25 '22 at 07:26
  • If the issue has been solved, Please feel free to accept helpful reply as the answer. It will help other community members who have a similar issue as well : ) – Aaron Jul 29 '22 at 09:34