2

I use a single smarthost as a hub to route all email from my network so that I can pass SPF checks on Gmail. However, although I always send through the same server, the From address can differ. For instance, a cron job on the server dev.mydomain.com might generate the From address amoe@dev.mydomain.com. I use /etc/aliases to redirect this cron email to my real email address. This email uses hosted Gmail, so the MX for mydomain.com points to Gmail's servers.

However, Gmail doesn't like these From addresses, probably because they don't exactly match the SPF record which is defined on mydomain.com. I receive the message that Our system has detected that this message does not meet IPv6 sending guidelines regarding PTR records and authentication.

I don't want to have to define separate SPF records that allow my one mail server to submit email for every single subdomain that I want to allow in the From address. Instead, I'd like to allow *@*.mydomain.com, as long as it is sent through the correct server.

2016-12-22 14:04:17 1cK3yj-0007Wz-4I <= amoe@dev.mydomain.com H=(dev.mydomain.com) [2a01:7e00::f03c:91ff:fe79:81b] P=esmtp S=586 id=E1cK3yj-0006Nx-0y@dev.mydomain.com
2016-12-22 14:04:17 1cK3yj-0007Wz-4I ** real@mydomain.com R=dnslookup T=remote_smtp X=TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128 DN="C=US,ST=California,L=Mountain View,O=Google Inc,CN=mx.google.com": SMTP error from remote mail server after end of data: host ASPMX.L.GOOGLE.com [2a00:1450:400c:c07::1a]: 550-5.7.1 [2a01:7e00::f03c:91ff:febb:7422] Our system has detected that this\n550-5.7.1 message does not meet IPv6 sending guidelines regarding PTR records\n550-5.7.1 and authentication. Please review\n550-5.7.1  https://support.google.com/mail/?p=IPv6AuthError for more information\n550 5.7.1 . p21si28305523wmb.29 - gsmtp

I am using Exim on Debian.

[Edit: It seems the cause was the reverse DNS/PTR record.]

amoe
  • 185
  • 1
  • 9

1 Answers1

2

Since the message from Google mentions PTR records, I think that perhaps the problem is not with SPF in this exact case, but instead caused by a missing PTR record for your server. If you check the URL mentioned in the message: https://support.google.com/mail/?p=IPv6AuthError under "Additional guidelines for IPv6", you should have a PTR record for your server (and a matching AAAA record pointing back to the same IP address). And if 2a01:7e00::f03c:91ff:febb:7422 is the IPv6 address of your server it does not have a PTR record.

Lars Lind Nilsson
  • 261
  • 1
  • 5
  • Wow, thanks for this. Looks like I can't read! I will set up reverse DNS and try again. – amoe Dec 22 '16 at 16:18
  • There may of course also be some SPF issues, but the current issue looks like a PTR issue. For setting up SPF you need to look at the `Mail From` envelope sender, and not the `From:` Header (depending on the mail-server these may be the same). You can possible use the `include` mechanism to point the sub-domains SPF records to a common record with the actual information. – Lars Lind Nilsson Dec 22 '16 at 16:22
  • That fixed it, now mail is being accepted by Gmail regardless of the `From` address. – amoe Dec 22 '16 at 17:13