0

I'm using Ipower for web and email hosting. I was recently made aware that SPF and DMARC were set to neutral, causing all of our outgoing emails to go to spam. I updated both records and they worked for a bit. My issue is that some of our users have IP addresses that constantly change. I add the updated IPs to SPF but it's not sustainable. Is there a way to account for changing IPs in SPF? SPF is currently set to soft fail since I don't want these emails to be outright rejected when the IP changes. v=spf1 ip4:XX.XX.XXX.X/XX ~all | example configuration

Neil C
  • 9
  • 1
  • 2
    Why don't your users send their mail through the central SMTP submission server or smarthost which address is (almost) never changes? Only that address need to be added into the SPF record. And that server also can manage signing with DKIM and therefore only one DKIM record will be needed. The server could use SMTP authentication with usernames and passwords rather than identifying by ever-changing IPs. (This is how such things are done in the civilized world.) – Nikita Kipriyanov Sep 02 '22 at 14:08
  • 3
    Also, *SPF and DMARC were set to neutral, causing all of our outgoing emails to go to spam* — this is quite debatable. Sending mail from dynamic IP pools is much more likely to cause mails to spam (or even get rejected without queuing). – Nikita Kipriyanov Sep 02 '22 at 14:14
  • 3
    **I was recently made aware that SPF and DMARC were set to neutral, causing all of our outgoing emails to go to spam** - I seriously doubt that was the cause. – joeqwerty Sep 02 '22 at 14:25
  • 1
    So your users run SMTP server software on their computers and send email directly to the recipients email servers? That sounds a bit odd. – joeqwerty Sep 02 '22 at 14:26
  • "Why don't your users send their mail through the central SMTP submission server or smarthost which address is (almost) never changes?" We do (smtp.ipower.com). I'm new to all this and trying to figure it out piece by piece. Gmail is one of the culprits of sending us to spam and they recommended setting up stricter DMARC and SPF to avoid being sent to spam. I did that and our emails stopped being marked as spam. I assumed that the neutral setting was the issue but I could be completely wrong. – Neil C Sep 02 '22 at 14:38
  • "So your users run SMTP server software on their computers and send email directly to the recipients email servers? That sounds a bit odd." - Users use iPower's SMTP server to send email. I thought the neutral setting was the culprit because Gmail stopped marking us as spam when I changed the settings to quarantine in DMARC and soft fail in SPF. – Neil C Sep 02 '22 at 14:44
  • You need to have the ip address of the iPower SMTP server in your SPF record, not the ip address of your email clients. Alternately you can use the MX mechanism in your SPF record if your sending and receiving SMTP server are the same server. – joeqwerty Sep 02 '22 at 15:02
  • Sending and receiving server are the same. Is it more effective to use MX or are both equally viable? – Neil C Sep 02 '22 at 19:54

1 Answers1

1

You should not track users IP in SPF. It's not designed nor for massive IP lists nor for realtime updates.

Your users should send mail using your mail servers.

You should have proper MX RRs pointed to your recieving smtp servers.

If you use same servers for recieving and sending to simplify administration you may use SPF RR like

example.com. IN TXT  "v=spf1 mx ~all"

what means mail from domain example.com will accepted from hosts listed in MX records.

If you send emails via smtp servers not listed in MX records you may use SPF RR with smtp server's IPs or domain names

example.com.   IN TXT  "v=spf1 ip4:x.x.x.x a:sender.example.com ~all"

Using IP in SPF is more effective due less dns queries needed.

This is how it works.

gapsf
  • 641
  • 1
  • 5
  • 12
  • Thanks for the reply. Users are using the main email servers but they are being tagged as spam in Gmail. I updated to the SPF that you recommended but I'm still having the same issue. – Neil C Sep 06 '22 at 20:00
  • Google use other technics besides spf to categorize mail as spam. You should figure out them further. These technics may not related to dns, spf, dkim or others. These needs futher investigations. They may analyze maybe mail headers of you users mail and now they in some sort of google's own spamlist. Check logs and replies from gmail servers further. Post you investgation here. – gapsf Sep 06 '22 at 20:24
  • Check this for starting https://support.google.com/mail/answer/81126?hl=en – gapsf Sep 06 '22 at 20:27