4

I have an internal management app for a small company, written in Python and running on a Linode VPS, with which users can send occasional emails to their customers. The emails are quite straightforward: a text part (i.e. not HTML) with a PDF invoice attachment, created with the email stdlib module and sent via an external SMTP server (which is not hosted on the VPS).

Everything has been running quite smoothly for a while, but then lately I've been receiving complaints that the emails are often classified as spam by the receiving mail servers. I sent a test email to http://www.mail-tester.com and discovered that adding a few missing headers (Date and Message-ID in particular) helped to reduce the "spaminess" level of my messages. However there is one SPF-related SpamAssassin problem that still eludes me:

SPF_HELO_SOFTFAIL   SPF: HELO does not match SPF record (softfail)

I tried sending the test email to my Gmail account and here are the relevant headers that can be found when I do "Show Original":

Received-SPF: pass (google.com: domain of <sender_address> designates <ip_smtp_server> as permitted sender) client-ip=<ip_smtp_server>;
Received: from [<ip_linode_vps>] (helo=<domain_name_linode_vps>)

From this and some additional informations I gathered here and there, I'm pretty sure that this problem could be fixed by somehow modifying the SPF record of the SMTP server domain (which already exists, as a TXT record with a "v=spf1 a mx... ~all" string containing an ip4 reference to <ip_smtp_server>), but my current understanding is not enough to do so, so I'd appreciate any help.

Update:

<ip_linode_vps> = 69.164.216.89
<domain_name_linode_vps> = li131-89.members.linode.com
<ip_smtp_server> = 192.99.17.51
<domain_name_smtp_server> = mail.roucet.com
<already_existing_spf_record> = "v=spf1 a mx ip4:192.99.17.51 ip4:158.85.89.116 ip4:158.85.77.121 ~all"
cjauvin
  • 141
  • 1
  • 4
  • If you want a specific answer to resolve your issue, it will be nearly impossible to provide without the domain in question, the IP address of the server, and preferably the unedited results in the authentication-header. – Paul Dec 13 '14 at 17:03
  • Thanks Paul, I really appreciate your help. Would it be safe and sufficient to provide the real values for ``, `` and `` above? Would some other infos or details be also needed? – cjauvin Dec 13 '14 at 17:23
  • It is data that is already publicly available. If you have an insecure configuration, then it will be discovered. – Paul Dec 13 '14 at 17:25
  • @Paul I have provided the requested values as an update to my question, please tell me if you need something else. – cjauvin Dec 13 '14 at 17:34

1 Answers1

4

All authorized mail servers should be listed in the SPF record. As you now have a new authorized mail server, it should be added. Some SPAM checks differentiate between listed (A, MX) and permitted (~all), and will not treat unlisted address as a pass. This penalizes senders who don't send via an approved server (often spambots). The ~all policy indicates that the user doesn't really care who uses their domain, as compared to the -all policy that could get the email blocked or quarantined.

The alternative approach is to configure the new server to relay messages using the existing server. It is common for applications to allow an email relay server to be configured. In python, you would configure your VPS server name instead of localhost.

Whichever server is sending email, it should add the required headers when receiving the message from your application. Alternatively, you can add the headers in the application. There is a defined format for the date in the Date header. The Message-id header has a defined format, but it not as strict. Message ids resemble an email address, but the left side should be a unique id.

BillThor
  • 27,737
  • 3
  • 37
  • 69
  • Thanks for your answer. With the setup I have, would you mind giving me an example of an SPF record string that could work? I've been trying many things, to no avail. – cjauvin Dec 13 '14 at 05:09
  • @cjauvin To accomplish this, we would need more details on your setup. BillThor tried to give an answer as specific as possible, but we can't find the actual problem, because you haven't described it properly. – sebix Dec 13 '14 at 16:50
  • I understand. Please see my new comment below my question. I'm ready to provide any extra info, I just want to be sure that it's safe to do so. – cjauvin Dec 13 '14 at 17:24
  • @cjauvin Your SPF record looks good. If you can change the policy to `-all` it would be better. However your mail server thinks it's name is `box5.domaineinternet.ca`. You should adjust its configuration so it answers as `mail.roucet.com`. – BillThor Dec 14 '14 at 00:26
  • @BillThor But to address the specific SpamAssassin error I'm getting (i.e. "HELO not matching"), shouldn't the IP or domain name of the email-sending VPS be somehow specified in the SPF record? Also, It seems that testing different SPF configurations is not easy, because of the DNS propagation delay.. – cjauvin Dec 14 '14 at 16:42
  • @BillThor Let me be even more specific: if the `HELO` of my message is from `li131-89.members.linode.com` (ip=`69.164.216.89`), shouldn't the SPF record include a `a:li131-89.members.linode.com` or `ip4:69.164.216.89` mechanism, or both? – cjauvin Dec 14 '14 at 17:35
  • @cjauvin Yes you would need ipv4:69.164.216.89 if you are sending directly. The preferred option would for the linode to relay via your MX which simplifies everything and doesn't need SPF changes. You linode server doesn't accept mail connections which will count against it on some servers. You mail server fails rDNS validation of the name you have in DNS. You may want to get the PTR record updated or use box5.domaineinternet.ca as your MX. – BillThor Dec 14 '14 at 18:56
  • Thanks again @BillThor, I really appreciate your sustained help! Regarding your preferred option, would this be an example of it http://askubuntu.com/a/457024? – cjauvin Dec 15 '14 at 00:35
  • @cjauvin Yes, that is an example using an authenticated submission with Postfix. The same configuration can be used directly from an application. Alternatively, you can configure your mail server to relay for your VPS box and use port 25. – BillThor Dec 15 '14 at 01:23