SPF record validation - best guess only

Question

I administrate the domain [mydomain.com] which was until now only used for handling mail through Google Mail/Google Apps.

Now I added a server which should be part of the domain without changing the primary purpose. I want the server to be able to send simple administrative mail, so I installed and configured sendmail.

When I send testmails to another Google Mail address the mail gets through but I get this header information:

Received-SPF: pass (google.com: best guess record for domain of
[myuser]@[myhost].[mydomain].com designates [myipv6address]
as permitted sender) client-ip=[myipv6address];

Now of course I want the validation to pass without guessing but I have probably something wrong in my DNS record.

$TTL 86400
@   IN SOA [mynameserver1]. (
    2013101002   ; serial
    14400        ; refresh
    1800         ; retry
    604800       ; expire
    86400 )      ; minimum

@            IN NS      [mynameserver3].
@            IN NS      [mynameserver2].
@            IN NS      [mynameserver1].

@            IN A       [myipv4address]
[myhost]     IN A       [myipv4address]

@            IN AAAA    [myipv6address]
[myhost]     IN AAAA    [myipv6address]

@            IN MX 1    ASPMX.L.GOOGLE.COM.
@            IN MX 5    ALT1.ASPMX.L.GOOGLE.COM.
@            IN MX 5    ALT2.ASPMX.L.GOOGLE.COM.
@            IN MX 10   ASPMX2.GOOGLEMAIL.COM.
@            IN MX 10   ASPMX3.GOOGLEMAIL.COM.
@            IN TXT     "v=spf1 a:[myhost].[mydomain].com ip4:[myipv4address]
                        ip6:[myipv6address] include:_spf.google.com ~all"

I can't find the error and would appreciate any help.

Best regards,

Thomas

What is the problem you are having? Your post does not describe any problem. — Michael Hampton, Oct 13 '13 at 15:20
The problem is that I expect the receiving mail server not only to "guess" that the sending host is valid. I think other providers may be stricter and classify the mail as spam. — computhomas, Oct 13 '13 at 21:10

score 2 · Accepted Answer · edited Oct 07 '21 at 07:34

2

You sent email from an address which contains a subdomain of your domain. Your domain has an SPF record, but the subdomain does not. Thus Google makes a "best guess" that your domain's SPF record should be used. This violates the specification, under which your subdomain would not be considered to have an SPF record, but it usually reflects what senders (whose mail systems are misconfigured) intended.

edited Oct 07 '21 at 07:34

Community

1

answered Oct 13 '13 at 21:24

Michael Hampton

244,070
43
506
972

Shouldn't this be addressed by the A and AAAA entry for the hostname and the hostname in the spf line? – computhomas Oct 14 '13 at 07:22
No, you misunderstand. Your hostname, what you call `[myhost]`, is missing an SPF record. – Michael Hampton Oct 14 '13 at 16:09
So I should add an additional line like: `[myhost] IN TXT "v=spf1 a:[myhost].[mydomain].com ip4:[myipv4address] ip6:[myipv6address] include:_spf.google.com ~all"` ? – computhomas Oct 15 '13 at 06:57
Yes, if that's the record you want. – Michael Hampton Oct 15 '13 at 06:57
I changed my sendmail.cf to masquerade as [mydomain].com instead of [myhost].[mydomain].com now and everything works as intended. Thanks for showing me the right direction! – computhomas Oct 15 '13 at 09:19

SPF record validation - best guess only

1 Answers1