0

I have the following DMARC record set up:

v=DMARC1; p=none; rua=mailto:rua@mydomain.com; ruf=mailto:ruf@mydomain.com; sp=none; fo=0:1:d:s

I have the following SPF record set up:

v=spf1 mx -all

the MX record has 3 IP addresses.

One of those IP Addresses in the MX record is used to send emails from. Majority of those emails align with DMARC well (last month, 312k emails are aligned). However, the same IP Address also shows some failure reports (700 emails failed DMARC).

When I look at the reason, it says "mail.mydomain.com" -- SPF not set.

My DMARC record is set to be in relaxed mode (emails from subdomains pass the DMARC check).

What could be the reason for those emails to fail? How can I avoid this? Should I add an SPF record under mail.mydomain.com subdomain?

SaidAlbahri
  • 1
  • You can setup a catch-all SPF record for subdomains. Setup a TXT record for *.example.com with the value `v=spf1 redirect=example.com` (the `=` is not a typo and redirect do not need an `all`.) Provided the subdomain has no other text records it will resolve and redirect. Keep in mind redirects count as a lookup so your primary record can never exceed 9/10 or your subdomains will error on max lookups. – omniomi Jun 25 '19 at 15:37

2 Answers2

0

The email address in the envelope.from (a.k.a. bounce address or return-path or smtp.mailfrom) are set to use the email domain of mail.mydomain.com. If no SPF record is set for mail.mydomain.com, the described error will be returned.

Or: There is no address specified in the envelope.from field, which results in an HELO lookup for the hostname of the sending server.

This behavior can very well be the result of bounces sent back from your server to the original sender. In which case, quite often the original envelope.from address is stripped and the hostname of the email server is checked for an SPF record.

This last situation is easily fixed by setting an SPF record for the name with which your mail servers set up communication (HELO name). In your case probably mail.mydomain.com.

For more information about which checks are performed and about the HELO check, please see the RFC on SPF, sections 2.3 and 2.4.

Community
  • 1
Reinto
  • 649
  • 4
  • 9
0

Should I add an SPF record under mail.mydomain.com subdomain?

Yes you should, it's best practice, and the receiving mx may well have not just DMARC but other milters filtering based on SPF / DKIM.

In theory DMARC makes allowances for comparing an email from a subdomain against the SPF record of the domain (you might want to add 'aspf=r;') but the specification for SPF states you should have an SPF record for each and every subdomain - even if just to try and prevent others from sending SPAM from those domains.

Similarly DKIM alignment should ideally match subdomain (again, DMARC policy can make allowances (you might want to add 'adkim=r;')) which would again be best practice to allow that alignment.

Also: You would probably be better removing "mx" from the SPF and replacing with with the IP addresses of your mx as this mitigates the potential for a DNS lookup failure impacting on email delivery.

Beyond that, I'd be interested to know how you get on!

Allan Wallace
  • 271
  • 1
  • 4