SPF Record Fails - How to verify Server IP Address and managing multiple SPF records

Question

I'm trying to verify the mail sent by our server. With our current DNS settings, sending mail from our server shows an SPF Neutral response.

I tried adding a combination of my server's IP and Domain.

v=spf1 a mx ipv4:XXX.XX.XXX.XX -all
v=spf1 include:mydomain.com -all

Both these records showed no change, all mail sent from the server was still Neutral. So I tried combining all my existing SPF records like so:

v=spf1 a mx include:mydomain.com ipv4:XXX.XX.XXX.XX include:cmail1.com include:mail.zendesk.com -all

I tested sending mail again and now get a SPF Fail response.

I've looked extensively online and I can't see how to fix my DNS entries so I can get a PASS on the SPF records. I don't know if I need additional CNAME, A, MX, or I'm missing something entirely.

I'm using a Plesk server with a fixed IPv4 address and using CloudFlare to manage my DNS and Name Servers.

Here is what a full fail response looks like:

SPF:    FAIL with IP XXX.XX.XXX.XX
spf=fail (google.com: domain of accounts@mydomain.com does not designate XXX.XX.XXX.XX as permitted sender) smtp.mailfrom=accounts@mydomain.com
Received-SPF: fail (google.com: domain of accounts@mydomain.com does not designate XXX.XX.XXX.XX as permitted sender) client-ip=XXX.XX.XXX.XX;
spf=fail (google.com: domain of accounts@mydomain.com does not designate XXX.XX.XXX.XX as permitted sender) smtp.mailfrom=accounts@mydomain.com

Answer 1

FIXED. I just spent forever talking to my provider and we couldn't figure out why it wasn't working.

Be careful! I copied my code from a site which said to use ipv4, it should be ip4! (no v)

Answer 2

While fixing your single syntax error (ipv4 instead of ip4) seems to have fixed your problem, it's still not the only problem with your SPF record. That's why it's always a good idea to read the official documentation to understand the issue.

• The first one you figured out already in your question by trial and error, but RFC 7208 3.2 is the source that tells it clearly: you should combine your SPF rules for a single hostname as a single TXT record.

  A domain name MUST NOT have multiple records that would cause an authorization check to select more than one record.

• You should understand what the include mechanism actually does: the specified domain is searched for a match i.e. looked for more SPF rules. Your include:mydomain.com suggests that you try use it like a mechanism. If this is in mydomain.com. TXT, it's a reference that tries to include self!

  You should also revise all your other includes and see that they actually have an SPF record. You should only include existing records.

  Warning: If the domain does not have a valid SPF record, the result is

a permanent error. Some mail receivers will reject based on a PermError.

• If your a or mx resolves to the same IP address than ip4 they are unnecessary and should be removed. List a server only once.

  Ultimately, SPF lookups resolve to an IP address.

If the server's IP rarely changes, consider using the ip4:x.x.x.x (or ip6) notation so recipients can avoid DNS lookups entirely. Since there is a limit of 10 DNS lookups per SPF record, specifying an IP address or address range is preferable for long lists of outgoing mail servers.

Often an SPF record can be condensed down to something like v=spf1 ip4:x.x.x.x -all if there is only one outgoing mail server.

Reading through both the linked articles for SPF syntax and common mistakes is a really good overview of the whole subject. The linked RFC adds all the technical details, if you are also interested in how it works.