GMX.net SPF problem

[heininger]

Hi,

just got an error mail from gmx.net.

553 5.7.1 According to the domain's SPF record your host 'xxx.xxx.xxx.xxx' is not a designated sender.

The SPF DNS entry is ...

domain.at text "v=spf1 ~all"

Any hints?


TIA,
Mike

 

[nobaloney]

In my humble opinion, in these early days of implementation of SPF, any mailserver not accepting mail with ~all is being overly cautious and will drop a lot of legitimate email.

That said, you still have to get to them.

I'll recommend to DA that they create a slightly more sophisticated SPF record, but in the meantime, if you're the system admin you can do it yourself:

Do you have this file:

/usr/local/directadmin/data/templates/custom/named.db

If not, create it this way (note that the # is not to be entered; it's just to show you that these commands are entered as root):

# cd /usr/local/directadmin/data/templates/custom
# cp -p ../named.db .

Then edit the file named.db in the custom subdirectory as follows:

Find the line:

|DOMAIN|. IN TXT "v=spf1 -all"

or

|DOMAIN|. IN TXT "v=spf1 ~all"

and change it to:

|DOMAIN|. IN TXT "v=spf1 a mx ip4:12.34.56.78 ~all"

of course replacing 12.34.56.78 with your system's main IP#.

Then issue the following command to rewrite all zone files according to the new template:

# echo "action=rewrite&value=named" >> /usr/local/directadmin/data/task.queue

.
Jeff

 

[heininger]

Thanks for the hint!

I will try this immediately and will report if it works.


Mike

 

[nobaloney]

With that change (which DA has agreed to add to the standard template), it should allow all email coming from your DA box as the mailserver.

It may still not accept email coming from your ISP with your domain name in the return address, but if not, then there's nothing you can do about it.

Jeff

 

[max3d]

My provider states that he manually changed the spf records as described above. However I'm still not able to send mail to several providers due to wrong spf records. He claims it's a bug in DA and can't be solved.
How is this possible?

 

[nobaloney]

My provider states that he manually changed the spf records as described above.

I'm not sure what you mean by "provider". Do you mean your webhosting provider?

However I'm still not able to send mail to several providers due to wrong spf records. He claims it's a bug in DA and can't be solved.

I doubt any bug in DA is causing this, as I've had no problem setting up reasonable spf TXT records. If by provider you mean your DA hosting provider, than more likely that s/he's not creating a custom template but rather just changing your own record, and letting DA overwrite it incorrectly.

If you let us know your domain, perhaps we can look it up for you and give you some ideas.

Jeff

 

[max3d]

Sorry for the confusion. With provider I mean't the system administrator of the DA machine. I just rent space on it. My url is www.studiopc.com. Hope this is sufficient info.

 

[nobaloney]

Your spf record is:

studiopc.com text = "v=spf1 -all"

It needs to have ~all and not -all.

Complete instructions your webhost provider can use to fix it are in my first response to the thread.

If he does it any other way, then DA will write over the changes with -all again.

Jeff

 

[redeye]

great

It works great. I want to make an comment to your posts. It seems that you are putting a lot of work into helping others out. It think it's great, you know your stuff and are willing to share. It's much appreciated from my site, and i think from others too. Although I think you know this allready, I found it needed to say it . Thx m8

 

[nobaloney]

Thanks for your comments, Redeye.

I try very hard to be helpful whenever I can and time permits.

Our primary business is supporting webhost companies. While we do webhosting, it makes up less than 10% of our business.

Jeff

 

[heininger]

I have added ...

|DOMAIN|. IN TXT "v=spf1 a mx ip4:12.34.56.78 ~all"

to the template (IP address corrected).

As this has not worked for my customer I have also added the IP of the virtual host of the customer.

|DOMAIN|. IN TXT "v=spf1 a mx ip4:12.34.56.78 ip4:12.34.56.79 ~all"

Unfortunately I have not get any response of my customer if this helped.

I keept you posted.

Thanks for the great support anyway ;-)

Mike

 

[nobaloney]

If mail from your server is what's being returned, then your main server IP# is all you should need. However many ISPs block outgoing email or redirect it to their own servers, so your email may be getting to gmx.net from your ISP's mail server.

Remember that your spf (txt) record may take up to 24 hours or so to be updated across the net, just as are other DNS records.

If you send me an email (address in my sig) and also post here at the same time I'll look at the headers and within 24 hours after getting your email I'll post back the IP# you need to use.

Have you tried writing [email protected]? Postmaster email, by RFC, must be accepted. So...

If mail to [email protected] is refused, then you should send the entire refusal message, including all headers from them and from you, if any, to rfc-ignorant.org, so many domains on the net will then refuse their email. Perhaps that will give them some clue.

Jeff