3
Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the server for the recipient domain <repipients-domain.com> by <repipients-domain.com>. [192.185.87.85].

The error that the other server returned was:
550 SPF: 209.85.214.182 is not allowed to send mail from <our-domain.com>

Seems that an SMTP server is rejecting emails from our domain, possibly because we are using TXT DNS record for SPF as follows:

v=spf1 mx include:mail.zendesk.com ?all

Yesterday the record was just:

v=spf1 include:mail.zendesk.com ?all

But I added the 'mx' part to check if that corrected the issue, but it didn't.

Can anyone please assist me on correcting such issue? We've only had this problem with a single customer and, there are no other bouncing messages from other people.

What other information would be helpful?

Edit:

Record now looks like the following as improved by comments:

v=spf1 include:mail.zendesk.com include:_spf.google.com ?all

We'll try resending to the "problem" domain

gvasquez
  • 153
  • 8
  • 2
    Your SPF record does not say that Gmail is allowed to send mail on your behalf! – Michael Hampton Feb 26 '16 at 17:54
  • @MichaelHampton that's absolutely true but Gmail is my MX record and they have multiple addresses, how do I add it? – gvasquez Feb 26 '16 at 17:55
  • @MichaelHampton should I add another TXT record with something like: v=spf1 include:_spf.google.com ~all – gvasquez Feb 26 '16 at 17:57
  • 4
    The MX record doesn't matter. Gmail doesn't send mail via their _inbound_ mail servers! Follow [Google's directions](https://support.google.com/a/answer/178723). – Michael Hampton Feb 26 '16 at 17:57
  • Great tip @MichaelHampton !! It seems I also have to the check [this](https://support.google.com/a/answer/4568483) as I need to append SPF config to an existing record – gvasquez Feb 26 '16 at 17:59
  • do you have Postfix listening/sending on an IPv6 address? If so, have you ensured you reverse DNS entries properly resolve to the host (for both IPv4 and v6)? – warren Feb 29 '16 at 17:44

1 Answers1

1

Michael's comment is correct, you should follow Google's recommendation and ensure you have include:_spf.google.com in your SPF record - which you've now done.

You may also want to have a conversation with the mail admins of that destination domain.

Your initial SPF record was neutral (?all). According to RFC 235235, a result of neutral must be treated as if no SPF policy was found. Thus the destination domain is choosing to break SPF which just harms adoption.

Last but not least, you may want to consider using ~all (softfail) unless you're not confident you've authorized all your email servers. This will notify receivers to inspect email that is not authorized more carefully - without making a hard decision that requires them to fail non-authorized email.

Community
  • 1
Marco
  • 164
  • 7