Google Apps, SPF, softfail problem (validates with validation tools, but still softfails otherwise)

Question

I guess this is probably a commonly asked and boring question but I'm really at a loss and I don't know what else to do. This might be a duplicate of other questions, but none of the solutions worked for me. I've Googled around and read just about anything I could find but I'm still puzzled as to why it doesn't work.

The gist of my problem is that I have set-up Google Apps for a client of mine with the domain fintan.dk. Everthing works just excellent, except emails sent from *@fintan.dk (either with the Gmail web-interface or desktop client) to a non-Google Apps email gets a softfail (I have sent to my University email, an email hosted at MediaTemple and even Hotmail). The emails gets a pass when sent to a Google Apps or Gmail address though... (All emails from that domain are sent via email clients.)

So this is what I have done so far:

I've added the SPF record Google recommended (v=spf1 include:_spf.google.com ~all), waited several days hoping it would a DNS update delay problem. Now, three days later there is no change.
I have verified the settings in the desktop clients several times.
I have validated the records with validation tools like the SPF Query Tool, spf-test@openspf.org and check-auth@verifier.port25.com. All of them validate and gives a pass, saying there shouldn't be a problem, but strangely there still is.

So, I really don't know what else to do. Any help is very much appreciated.

Thank you in advance!

--

Here are som headers for an email I sent from a *@fintan.dk address to a non-Google Apps/-Gmail address with email hosted at MediaTemple, **@newzoo.no.

Delivered-To: ***@***
Received: by 10.204.113.141 with SMTP id a13cs215458bkq;
        Mon, 7 Jun 2010 14:27:23 -0700 (PDT)
Received: by 10.204.83.228 with SMTP id g36mr347934bkl.133.1275946041770;
        Mon, 07 Jun 2010 14:27:21 -0700 (PDT)
Received-SPF: softfail (google.com: best guess record for domain of transitioning **@fintan.dk does not designate **.**.***.*** as permitted sender) client-ip=**.**.***.***;
Received: by 10.188.26.13 with POP3 id 13mf159579bwz.53;
        Mon, 07 Jun 2010 14:27:21 -0700 (PDT)
X-Gmail-Fetch-Info: **@newzoo.no 3 mail.newzoo.no 110 **@newzoo.no
Return-path: <**@fintan.dk>
Envelope-to: **@newzoo.no
Delivery-date: Mon, 07 Jun 2010 14:27:17 -0700
Received: from mail-ew0-f224.google.com ([209.85.219.224]:44843)
    by cl29.gs01.gridserver.com with esmtp (Exim 4.63)
    (envelope-from <**@fintan.dk>)
    id 1OLjqk-0007P1-RP
    for mc@newzoo.no; Mon, 07 Jun 2010 14:27:17 -0700
Received: by ewy24 with SMTP id 24so1953534ewy.34
        for <**@newzoo.no>; Mon, 07 Jun 2010 14:27:13 -0700 (PDT)
Received: by 10.213.22.14 with SMTP id l14mr11377870ebb.55.1275946032661;
        Mon, 07 Jun 2010 14:27:12 -0700 (PDT)
Received: from [192.168.1.4] (cm-84.215.178.166.getinternet.no [84.215.178.166])
        by mx.google.com with ESMTPS id 13sm2910690ewy.5.2010.06.07.14.27.11
        (version=TLSv1/SSLv3 cipher=RC4-MD5);
        Mon, 07 Jun 2010 14:27:11 -0700 (PDT)
From: Moquan Chen <**@fintan.dk>
Content-Type: multipart/alternative; boundary=Apple-Mail-16--861396158
Date: Mon, 7 Jun 2010 23:27:10 +0200
References: <****5c90912060401w1a16edc8x88706159cb35caa0@mail.gmail.com>
To: **@newzoo.no
Message-Id: <F0B66FDB-42A1-4114-80A8-A5AAD6FD7C3A@fintan.dk>
Mime-Version: 1.0 (Apple Message framework v1075.2)
X-Mailer: Apple Mail (2.1075.2)
X-Spam-Status: "score=1.0 tests=HTML_MESSAGE version=3.1.7"
X-Spam-Level: *

score 4 · Accepted Answer · answered Jun 06 '10 at 19:43

4

Try changing your record from v=spf1 include:_spf.google.com ~all to v=spf1 mx include:_spf.google.com ~all

Thats what my SPF record has (note the mx addition) it should work since google's servers are the MX servers for the domain.

Also if you need the server that hosts the fintan.dk website to send emails change the record to v=spf1 a mx include:_spf.google.com ~all

answered Jun 06 '10 at 19:43

Rwky

764
1
8
17

Thank you very much for your reply! I have changed the record, but no change yet (still softfails). I'll wait 24h and see if it is a DNS update delay. – mqchen Jun 06 '10 at 21:15
If it doesn't work can you post the headers for one of the emails that's failing? – Rwky Jun 06 '10 at 22:31
Thanks for your help so far, but still no luck... It's been a little over 24h now and still I get only softfails. I have updated the question with the headers. Any ideas would be greatly appreciated. Thank you! – mqchen Jun 07 '10 at 21:33
Can you provide the IP in this line Received-SPF: softfail (google.com: best guess record for domain of transitioning **@fintan.dk does not designate **.**.***.*** as permitted sender) client-ip=**.**.***.***; I want to check it against what I see in the SPF record. – Rwky Jun 08 '10 at 11:51
Sure, the IP is: 209.85.219.224. The email I sent from is mc@fintan.dk. You may test all you want with that email address. – mqchen Jun 08 '10 at 12:08
ok well I'm stumped, if it's saying `(google.com: best guess record for domain of transitioning @fintan.dk does not designate 209.85.219.224 as permitted sender) client-ip=209.85.219.224;` That is a google IP and it's in their SPF record and yours is fine. The only other thing I can think of is that the DNS servers aren't responding with the correct SPF record, the "best guess" indicates that it may not be reading the SPF record at all. Try using an alternative nameserver. – Rwky Jun 08 '10 at 18:41
Hmm, this is very strange. I'll see if I can change nameservers, but I have had a look at some emails sent to me from employees from Accenture, Cisco, Telenor, etc. and they all softfails. I did a lookup [here][1] and compared it with a lookup of Mediatemple, who's nameservers I use and their emails passes. If you have a domain with Google Apps, could you send me an email mc@newzoo.no so that I can compare the headers and DNS records? Thank you! Nevertheless, I can't express how much appreciate your help. [1]: http://network-tools.com/default.asp?prog=express&host=fintan.dk – mqchen Jun 08 '10 at 22:59
I've sent you an email, let me know how it goes. That email address passes for me. – Rwky Jun 09 '10 at 10:19
Was this a solution? – Brian Webster Oct 04 '10 at 21:34
If I remember rightly the asker had to contact google – Rwky Oct 08 '10 at 13:10
Adding the mx worked for me with my google apps acct. – gt124 Dec 12 '11 at 22:04
This worked for me. Thanks man. +1 – AndrewL64 Jun 11 '20 at 19:23

score 0 · Answer 2 · answered Nov 19 '10 at 19:13

0

~all means soft fail. If you want to specify a hard fail you need to use -all.

http://www.openspf.org/SPF_Record_Syntax

answered Nov 19 '10 at 19:13

Bryan McLellan

1

Google Apps, SPF, softfail problem (validates with validation tools, but still softfails otherwise)

2 Answers2