Received-SPF: neutral

Question

When I send emails from my application I am getting a spf neutral error. I have been working with Google and my hosting company, but none of them can figure it out. Below is my spf record.

"v=spf1 include:s920.tmd.cloud include:mx1.tmdhosting.com include:mx2.tmdhosting.com ip4:184.154.73.81 ip4:108.178.0.170 ip4:198.143.161.162 ip4: include:_spf.google.com ~all"

Below is a snip of the email meta data.

    ARC-Authentication-Results: i=1; mx.google.com;
       dkim=temperror (no key for signature) header.i=@holyfirepublishing.com header.s=default header.b=HRuHEiL6;
       spf=neutral (google.com: 108.178.0.170 is neither permitted nor denied by best guess record for domain of publisher@holyfirepublishing.com) smtp.mailfrom=publisher@holyfirepublishing.com
Return-Path: <publisher@holyfirepublishing.com>
Received: from mx1.tmdhosting.com (mx1.tmdhosting.com. [108.178.0.170])
        by mx.google.com with ESMTPS id b67-v6si3713737ioj.9.2018.04.28.17.31.24
        for <test@holyfirepublishing.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sat, 28 Apr 2018 17:31:24 -0700 (PDT)
Received-SPF: neutral (google.com: 108.178.0.170 is neither permitted nor denied by best guess record for domain of publisher@holyfirepublishing.com) client-ip=108.178.0.170;
Authentication-Results: mx.google.com;
       dkim=temperror (no key for signature) header.i=@holyfirepublishing.com header.s=default header.b=HRuHEiL6;
       spf=neutral (google.com: 108.178.0.170 is neither permitted nor denied by best guess record for domain of publisher@holyfirepublishing.com) smtp.mailfrom=publisher@holyfirepublishing.com
Received: from [184.154.73.81] (helo=s920.tmd.cloud) by mx1.tmdhosting.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from <publisher@holyfirepublishing.com>) id 1fCaFP-0005U5-6t for test@holyfirepublishing.com; Sat, 28 Apr 2018 19:31:24 -0500

I can really use some help building my spf record.

Thanks in advance.

Why are you including MX records?... – Jacob Evans Apr 29 '18 at 00:48 — Jacob Evans, Apr 29 '18 at 00:48

score 3 · Answer 1 · answered Apr 29 '18 at 03:22

3

Your domain doesn't actually have an SPF record. I don't know where you put it, but neither I nor Google can find it.

$ host -t txt holyfirepublishing.com
holyfirepublishing.com has no TXT record

Once you actually create an SPF record correctly, other mail servers should begin using it.

answered Apr 29 '18 at 03:22

Michael Hampton

237,123
42
477
940

It's in an SPF rrtype. Surprised googledomains lets you create them still. – womble Apr 29 '18 at 03:56
1

@womble Yeah, that's strange, since nobody actually looks at that RR type anymore. – Michael Hampton Apr 29 '18 at 03:57
Also strange if Google and the hosting company can't point out all the obvious problems in the record. – Esa Jokinen Apr 29 '18 at 06:56

Jacob Evans · Answer 2 · 2018-04-29T20:10:14.837

2

Include records must also be spf txt records. If that is not your intent you can use mx if these are your MX records or a:host.exanple.com to permit the IPv4 address of host.example.com

Be mindful of the 10 DNS record limit. mx counts as one, regardless of the number of MX records.

These are all invalid:

include:s920.tmd.cloud include:mx1.tmdhosting.com include:mx2.tmdhosting.com

edited Apr 29 '18 at 20:10

answered Apr 29 '18 at 01:01

Jacob Evans

7,636
3
25
55

1

Actually `mx:tmdhosting.com` OR `a:mx1.tmdhosting.com`, not `mx` with the MX. As the `ip4` mechanism already covers all these addresses, these should be removed altogether. – Esa Jokinen Apr 29 '18 at 06:53
I didn't look up what his MX records were, assuming they were the same. Seems like this "tmd hosting" should be doing email. :( – Jacob Evans Apr 29 '18 at 20:07

score 2 · Accepted Answer · edited Oct 07 '21 at 07:59

Your IN SPF "v=spf1 include:s920.tmd.cloud include:mx1.tmdhosting.com include:mx2.tmdhosting.com ip4:184.154.73.81 ip4:108.178.0.170 ip4:198.143.161.162 ip4: include:_spf.google.com ~all" has several problems.

Use TXT instead of SPF (RFC 7208, 3.1).
In general, you should avoid multiple includes as there is a maximum amount of DNS queries per SPF check. For the same reason, direct ip4 and ip6 directives are always the best.
Here, you have includes that doesn't contain SPF records. They should probably use a mechanism, instead. Only "include" existing SPF records.
You should list a server only once, preferably using ip4. As s920.tmd.cloud A 184.154.73.81, mx1.tmdhosting.com A 108.178.0.170 & mx2.tmdhosting.com A 198.143.161.162, the a mechanisms from the previous can be removed.
The empty ip4: is a syntax error.
While + for Pass is the default qualifier, I find it easier for beginners to use it to avoid confusion with the exists/include mechanisms and redirect/exp modifiers that doesn't have qualifiers.

We can assume you have the rest as you desire:

The results suggests that at least the MX 108.178.0.170 is used for outgoing mail, so probably the three IP addresses are ok.
The last include allows Gmail. Let's just assume you are using it for this domain.
~all soft fail for rest. I agree that you shouldn't use (hard) fail before you have more experience with SPF and can be sure it won't cause any problems.

Result:

IN TXT "v=spf1 +ip4:184.154.73.81 +ip4:108.178.0.170 +ip4:198.143.161.162 include:_spf.google.com ~all"

that worked great. Can you help me explain the dkim=temperror? I think that is the last bit to get this working. — Edwardcode, Apr 29 '18 at 14:20
Interestingly I have seen bind9 produce this warning `found SPF/TXT record but no SPF/SPF record found, add matching type SPF record`, which from my reading of it goes directly against RFC 7208. — kasperd, Apr 29 '18 at 22:58
I created a new post for the dkim error. If anyone has any knowledge on how to fix it, you can post it here. https://serverfault.com/questions/909909/email-dkim-temperror-no-key-for-signature — Edwardcode, Apr 30 '18 at 00:17

Received-SPF: neutral

3 Answers3