Why Are SPF Records Failing – Valuable Tech Notes

Ok I've been going through various different sites, resources and topics here trying to figure out what is wrong with my SPF records but no matter what I do they don't seem to pass. Here's what I have

"v=spf1 +a +mx +ip4:217.78.0.92 +ip4:217.78.0.95 -all"

I've tried multiple different tools to check my spf records, some give me a pass, some don't. But I can't send mail to certain google app accounts, they just bounce back all the time which is very annoying.

Anyone got any ideas?

I have noticed that the source IP address is not the IPV4 addresses I've defined, but Cpanel wouldn't let me add that address into it..

And here's the result of tests I'm getting back from port25.com. I'm running WHM by the way and have enabled spf and dkim.

Summary of Results
==========================================================
SPF check:          fail
DomainKeys check:   neutral
DKIM check:         pass
Sender-ID check:    fail
SpamAssassin check: ham
==========================================================
Details:
==========================================================
HELO hostname:  server1.viralbamboo.com
Source IP:      2a01:258:f000:6:216:3eff:fe87:9379
mail-from:      ###@viralbamboo.com
----------------------------------------------------------
SPF check details:
----------------------------------------------------------
Result:         fail (not permitted)
ID(s) verified: smtp.mailfrom=###@viralbamboo.com
DNS record(s):
    viralbamboo.com. SPF (no records)
    viralbamboo.com. 13180 IN TXT "v=spf1 +a +mx +ip4:217.78.0.92 +ip4:217.78.0.95 -all"
    viralbamboo.com. AAAA (no records)
    viralbamboo.com. 13180 IN MX 0 viralbamboo.com.
    viralbamboo.com. AAAA (no records)
----------------------------------------------------------
DomainKeys check details:
----------------------------------------------------------
Result:         neutral (message not signed)
ID(s) verified: header.From=###@viralbamboo.com
DNS record(s):
----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result:         pass (matches From: ###@viralbamboo.com).
ID(s) verified: header.d=viralbamboo.com
Canonicalized Headers:
    content-type:multipart/alternative;'20'boundary="_4783D1BE-5685-41CF-B91B-1F15E91DD1E3_"'0D''0A'
    date:Mon,'20'1'20'Jul'20'2013'20'21:30:47'20'+0000'0D''0A'
    subject:=?utf-8?Q?test?='0D''0A'
    to:"=?utf-8?Q?check-auth@verifier.port25.com?="'20'<check-auth@verifier.port25.com>'0D''0A'
    from:=?utf-8?Q?Rob_Boland_-_Viralbamboo?='20'<###@viralbamboo.com>'0D''0A'
    mime-version:1.0'0D''0A'
    dkim-signature:v=1;'20'a=rsa-sha256;'20'q=dns/txt;'20'c=relaxed/relaxed;'20'd=viralbamboo.com;'20's=default;'20'h=Content-Type:Date:Subject:To:From:MIME-Version;'20'bh=CJMO7HYeyNVGvxttf/JspIMoLUiWNE6nlQUg5WjTGZQ=;'20'b=;

Here's some updated header information from the bounced mail

 Return-path: <> Envelope-to: ###@viralbamboo.com Delivery-date: Tue,
02 Jul 2013 10:43:56 +0000 Received: from mailnull by
server1.viralbamboo.com with local (Exim 4.80.1)    id 1Uty3w-00066P-N8
    for ###@viralbamboo.com; Tue, 02 Jul 2013 10:43:56 +0000
 X-Failed-Recipients: ###@dovetail-consultancy.com Auto-Submitted:
 auto-replied From: Mail Delivery System
 <Mailer-Daemon@server1.viralbamboo.com> To: ###@viralbamboo.com
 Subject: Mail delivery failed: returning message to sender Message-Id:
 <E1Uty3w-00066P-N8@server1.viralbamboo.com> Date: Tue, 02 Jul 2013
 10:43:56 +0000

 This message was created automatically by mail delivery software.

 A message that you sent could not be delivered to one or more of its
 recipients. This is a permanent error. The following address(es)
 failed:

   ###@dovetail-consultancy.com
     No Such User Here


 ------ This is a copy of the message, including all the headers. ------
 Return-path: <###@viralbamboo.com>
 Received: from [95.83.252.138] (port=42365 helo=[10.53.48.3])
  by server1.viralbamboo.com with esmtpsa (TLSv1:RC4-MD5:128)
  (Exim 4.80.1)
  (envelope-from <###@viralbamboo.com>)
  id 1UtwFB-0006in-Pr
  for dillon@dovetail-consultancy.com; Tue, 02 Jul 2013 08:47:26 +0000
 To: "=?utf-8?B?ZGlsbG9uQGRvdmV0YWlsLWNvbnN1bHRhbmN5LmNvbQ==?=" <###@dovetail-consultancy.com>
 From: "=?utf-8?B?Um9iIEJvbGFuZA==?=" <###@viralbamboo.com>
 Subject: =?utf-8?B?VGVzdGluZw==?=
 Date:  Tue, 02 Jul 2013 09:47:23 +0100
 MIME-Version: 1.0
 Content-Type: multipart/alternative;
  boundary="----=_Part_0_1372754843827"
 ------=_Part_0_1372754843827
 Content-Type: text/plain;
  charset=utf-8
 Content-Transfer-Encoding: base64
 Content-Disposition: inline
 VGhpcyBpcyBhIHRlc3QgbWFpbAoK

 ------=_Part_0_1372754843827
 Content-Type: text/html;
  charset=utf-8
 Content-Transfer-Encoding: base64
 Content-Disposition: inline
 PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMDEvL0VOIiAiaHR0cDov
 L3d3dy53My5vcmcvVFIvaHRtbDQvc3RyaWN0LmR0ZCI+CjxodG1sPjxoZWFkPjwvaGVhZD48Ym9k
 eT48ZGl2IHN0eWxlPSJmb250LXNpemU6IDEycHQ7IGZvbnQtZmFtaWx5OiBDYWxpYnJpLHNhbnMt
 c2VyaWY7Ij5UaGlzIGlzIGEgdGVzdCBtYWlsJm5ic3A7PC9kaXY+PC9ib2R5PjwvaHRtbD48YnI+

 ------=_Part_0_1372754843827--

Update 2
Here is some updated results from openspf.net
Isn't HELO Result = 'None' meant to be 'Pass'?

spf-test@openspf.net
    SMTP error from remote mail server after RCPT TO:<spf-test@openspf.net>:
    host mailout02.controlledmail.com [72.81.252.18]:
    550 5.7.1 <spf-test@openspf.net>: Recipient address rejected:
    SPF Tests: Mail-From Result="pass": Mail From="rob@viralbamboo.com" HELO name="server1.viralbamboo.com" HELO Result="none" Remote IP="217.78.0.92"

Best Answer

According to the port25.com test results you post above, you're sending from an ipv6 address, but there are no v6 addresses in your SPF record. Try adding +ip6:2a01:258:f000:6:216:3eff:fe87:9379.

Or, presuming that you have a whole subnet of senders, try adding +ip6:2a01:258:f000:6::/64 (or whatever is appropriate for the network you control).

Edit:

I'm not sure what port25.com is complaining about. I just tried viralbamboo.com on the SPF validity checker at http://www.kitterman.com/spf/validate.html, as linked directly from http://www.openspf.org/Tools, and it said it was valid, including the new +ip6: record element. I can only assume port25.com haven't yet got comfy with ipv6; they'd hardly be the first people not to have fully tested their v6 code.

As for the openspf.net email test, that's correct. You get a pass on your sender address, because you're complying with your own SPF policy for viralbamboo.com; but there is no SPF record for the hostname announced in your HELO, server1.viralbamboo.com, so no result can be announced for the correctness of that record.

Edit 2: you've made it clear that you know the address you're sending to does really exist, so this is one of those deeply annoying mail servers that, for whatever reason, has decided you're sending spam, and responds by denying the existence of the remote user. I don't know why google has decided this particular message is spam, but I think we've established it's not to do with your SPF setup.

Good luck to dovetail-consultancy.com in getting google to tell them why they're refusing these messages. I think they're about to discover why it's not such a great idea to outsource business email to an unpaid provider, or indeed, to outsource it at all.

Best Answer

Related Solutions

Emails are going to spam

Permerror when testing multiple SPF records for Google Apps and MailChimp

Related Topic