SPF Record Not Recognized – How to Fix SPF Record Not Getting Recognized for Mail Server Domain

I'm currently attempting to setup a mail server on Debian.
So far I've installed postfix and opendkim. I've also configured an FQDN, rDNS, DKIM, DMARC, and SPF, but the latter doesn't work somehow.

An SPF record for mydomain.net gets recognized, when I run an online test (e.g. mxtoolbox.com, appmaildev.com), but not for myhostname.mydomain.net (which is from where the mail gets sent). Both DKIM and DMARC test fine. myhostname.mydomain.net has A/AAAA records, as well as a MX record.
Sending mail via the mail command also works flawlessly. It arrives and doesn't end up in the Spam folder.

The FQDN was setup as 127.0.1.1 myhostname.mydomain.net myhostname in "/etc/hosts".

The SPF TXT record looks like this:
v=spf1 mx a:myhostname.mydomain.net -all

Here's my "/etc/postfix/main.cf":

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
myhostname = myhostname.mydomain.net

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all

# Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters

The opendkim keys were generated for mydomain.net, not myhostname.mydomain.net, but that seems to check out fine.

My DMARC TXT record is as follows:
v=DMARC1; p=reject; rua=mailto:[email protected]; fo=1

What am I overlooking here?

Best Answer

Generally, you should set up an SPF record

for each domain you intend to send mail from (the domain name that appears in the MAIL FROM:<[email protected]> SMTP command); RFC 7208, 2.4
optionally, for each mail host that you intend to send mail from (the domain name that appears in the EHLO myhostname.mydomain.net SMTP command); RFC 7208, 2.3

You are already all set with your installation of record v=spf1 mx a:myhostname.mydomain.net -all at domain mydomain.net. All good!

Optionally (recommended), you could also install a record v=spf1 a -all at domain myhostname.mydomain.net, but this isn’t strictly necessary.

Best Answer

Related Solutions

Postfix: How to Make Email Aliases Work

Postfix rejects all incoming mail (Client host rejected: Access denied)

Related Topic