0

We are settings up a site on GoDaddy's managed wordpress product. For mail to go through the contact form we must use the relay server relay-hosting.secureserver.net. Mail sent through the contact form is only ever directed internally to our own Office365 hosted mail boxes.

In order to prevent Office365 from marking the messages as spam we must update our spf record properly. The details of the message when sent to junk mail indicate the IP address 198.71.225.38 needs to be included in our spf. When we add it to our record it correctly allows spf to pass and mail flows to our inboxes. However it is possible the mail could come from various IPs used by GoDaddy.

GoDaddy provides this helpful page that describes the spf change to make. https://www.godaddy.com/help/do-i-need-spf-or-dkim-validation-to-send-campaigns-15863

When I make this change, adding include:spf.gem.godaddy.com in our record, the mail gets put into junk by Office365. The info again shows 198.71.225.38 as failing. 

Received-SPF: Fail (protection.outlook.com: domain of ourdomain.com does not designate 198.71.225.38 as permitted sender)

If I trace the records down through dns I get the following results

ourdomain.com
"v=spf1 ip4:xx.xxx.xxx.xxx/27 include:spf.gem.godaddy.com include:spf.protection.outlook.com -all"

spf.gem.godaddy.com
"v=spf1 include:spf.em.secureserver.net ~all"

spf.em.secureserver.net
"v=spf1 ip4:198.71.244.0/25 ip4:198.71.245.0/25 ip4:198.71.246.0/25 ip4:198.71.247.0/25 ip4:198.71.253.0/24 ip4:198.71.254.0/24 ip4:198.71.255.0/24 ~all"

The IP block in the final record would include 198.71.225.38 so I'm not understanding where in this chain SPF would fail.

dmr83457
  • 707
  • 3
  • 9
  • 20

1 Answers1

1

Simply: 198.71.225.38 doesn't belong to any IP blocks listed in include:spf.em.secureserver.net:

  • ip4:198.71.244.0/25
  • ip4:198.71.245.0/25
  • ip4:198.71.246.0/25
  • ip4:198.71.247.0/25
  • ip4:198.71.253.0/24
  • ip4:198.71.254.0/24
  • ip4:198.71.255.0/24 - looks like the closest, so probably you didn't just notice 255 != 225.

You could use include:secureserver.net as it has matching +ip4:198.71.225.0/24 through include:spf-ss1.domaincontrol.com, include:spf-ss2.domaincontrol.com and include:spf-ss3.domaincontrol.com, giving:

Received-SPF: pass (secureserver.net: Sender is authorized to use 'test@secureserver.net' 
    in 'mfrom' identity (mechanism 'include:spf-ss1.domaincontrol.com' matched)) 
    receiver=web1.bacb.com.au; identity=mailfrom; envelope-from="test@secureserver.net"; 
    helo=a2nlsmtp01-04.prod.iad2.secureserver.net; client-ip=198.71.225.38

and it is also exactly as described in the Guide to Edit Your GoDaddy SPF Record documentation.

Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
  • I literally was just talking through this with a coworker and I noticed that I misread 225 as 255 when I reviewed the information supplied to me by GoDaddy support. – dmr83457 Apr 03 '17 at 16:55