Kitz Forum

Internet => Web Browsing & Email => Topic started by: Weaver on November 24, 2018, 05:48:52 AM

Title: DMARC or SPF problem
Post by: Weaver on November 24, 2018, 05:48:52 AM
I sent Burrakucat an email and luckily his email system sent me a notification message warning me about a related failure against my published DMARC policy for my domain.

I have an SPF declaration that is v=spf1 mx -all and this is supposed to cover sending through Andrews & Arnold’s email servers and no others. On this occasion I certainly wasn’t going outside this very strict policy and sending by some other route. (I’ve reviewed possible situations where email might be sent by other means as I realise that having it set so strictly could be a problem.)

I suspect this SPF declaration is a bit dodgy. I need to re-read the docs as I can’t remember what happens if there are multiple sending servers. Can the senders’ domain names be * or only Or have I got this totally wrong, as AA might have lots of servers with who-knows what domain names, so perhaps I should specify * if that’s possible, or specify the whole of AA’s IPv4 and IPv6 ranges (if known) instead of DNS names?

I am not aware of any SPF ‘include’ that AA makes available to users, but using an include would be the safest, most future-proof thing to do as then I don’t have to know what AA’s mail servers are. I used an include with my previous mail service provider.
Title: Re: DMARC or SPF problem
Post by: d2d4j on November 24, 2018, 08:31:21 AM
Hi weaver

This is a hard one without more information which is not advised to show on a forum

I presume you do not use dkims as you have not mentioned it

So without more detail, it is hard to know what the issue is, as it could be a forwarder on bcats email where an spf record should hard fail as an example. Note I am not stating this is the issue, just showing an example which could cause failure.

The best advice is to use an online dmarc/spf test to show where it is failing

Have you been checking your dmarc reporting email address to see its usage

Lastly, I always prefer include for spf, but understand if you have to many, spf checking stops at a defined number of lookups, which could cause a spf failure

Many thanks

Title: Re: DMARC or SPF problem
Post by: Weaver on November 24, 2018, 11:55:46 AM
I don’t use dkims. The notification email gave a bit of info including a delivery report for the email it got. I used an online tool to check the DMARC and SPF declarations to see if I had got anything wrong. I am assuming that the actual SMTP server used by AA to send the email did not match against my SPF. It just lists and I am wondering if that is far too narrow, maybe there are umpteen servers that send mail. Perhaps there is a group that can be reached by users who want to hand over outbound mail and the users reach all those servers through that one domain name, but what if the actual sending servers also have other names and ptr lookup matches the individual names or whatever? Could that be it? The servers have two names or more ? Perhaps I should be tackling the problem of identifying possible senders in the SPF in a different fashion? By IP address range? Or by a wildcarded domain name? Is * possible?

It’s a long time since I read up in this stuff and I have forgotten everything. The pain drugs certainly do not help in this regard, memory and concentration absolutely completely shot.
Title: Re: DMARC or SPF problem
Post by: Chrysalis on November 24, 2018, 12:00:45 PM
I will pm you my email address, send me an email, I will then examine the headers and advise from there, sounds good?

according to this that one hostname should be enough, but please send the email to the address I messaged you and I will check the headers.
Title: Re: DMARC or SPF problem
Post by: Weaver on November 24, 2018, 12:33:28 PM
Chrys, I did consult that same webpage, the AA official servers list. I emailed them last night to ask about SPF, but they haven’t got back to me yet, it is a weekend. That is the thing I don’t understand, what if ‘’ is merely the correct overall thing for AA’s users to use to hand off outbound email to, but the names of the actual servers that do it, either the names that they self-identify with in transactions or the names that come up in PTR lookups could be different, names that identify individual servers within * Can a PTR lookup return multiple answers?

I had published a maximally strict DMARC declaration and it was that that was causing the problem notification report to be triggered. I then removed the DMARC declaration for now, and re-sent the email, to see if it would now get through, although I wondered if it still might fail because of cached info. So you will not see any DMARC declaration at the moment, and won’t be able to look at the effects. Just in case you might be wondering where it had gone.

My wife has not reported any problems and she sends quite a lot of email.

Last February I had to move my email in a hurry, from my dearly-loved and much lamented UKServers Ltd, to AA, when UKServers got bought up by someone whom I had never heard of and was therefore not prepared to trust with a load of totally critical stuff. I anticipated there would be various problems due to my mistakes made in changing things over particularly as it was done in such a tearing hurry, and I certainly did get a few things very wrong at the time. Not having an include available to use in the SPF, I am now wondering if I have just been winging it, with no official pronouncement on how to do the guaranteed right thing. I did suggest to AA that they might want to officially document the correct SPF recipe, also suggested they even consider having a thing to automatically add various sorts of SPF declarations (optionally) for users who host DNS with AA and send their mail through them. This is something that UKServers had in their user-DNS setup thing, a button that you could just hit which would start you off with a DNS TXT SPF record. (How strict the declaration is depends on the user’s situation of course, and on whether they send email through other routes sometimes, as doing so would cause a problem.)
Title: Re: DMARC or SPF problem
Post by: Chrysalis on November 24, 2018, 02:48:17 PM
I got the email, it arrived from an ip which is one of the ips listed on and passed the SPF check.

The SPF record also authorises the MX records as well.

So there is no issue with the SPF record.
Title: Re: DMARC or SPF problem
Post by: Weaver on November 24, 2018, 05:44:47 PM
I think I have solved it. Burrakucat sent me some more info. One of his machines redirected the email to somewhere else. This broke the DMARC + SPF origin policy as it no longer originated from AA. So I suspect I have been hunting a red herring, a non-issue, and you showed that the SPF is ok.

It’s an interesting point though, what happens about redirecting stuff? And what are the definitions of ‘redirect’ and ‘origin’ etc. There ought to be some way of doing what is required without sinning in the DMARC + SPF sense.
Title: Re: DMARC or SPF problem
Post by: Chrysalis on November 24, 2018, 10:47:26 PM
Take a look at this Weaver