-3

I give training and therefor i have a gmail account (linked to my weebly website www.serenewarrior.nl)

Sometimes I get a Delivery Status notification (below) saying I am not allowed to sent mail and I need to contact the postmaster of MY website.

I am an absolute no no in these things and need to know how and where to fix it. Can someone guide me through?

Is it fixable in gmail settings?

The response was:

550 2a00:1450:4864:20::444 is not allowed to send mail from serenewarrior.nl. Please see http://www.openspf.net/Why?scope=mfrom;identity=info@serenewarrior.nl;ip=2a00:1450:4864:20::444

An SPF-enabled mail server rejected a message that claimed an envelope sender address of info@serenewarrior.nl.

An SPF-enabled mail server received a message from mail-wr1-x444.google.com (2a00:1450:4864:20::444) that claimed an envelope sender address of info@serenewarrior.nl.

The domain serenewarrior.nl has published an SPF policy, however, an error occurred while the receiving mail server tried to evaluate the policy:

Maximum void DNS look-ups limit (2) exceeded. What should I do?

The domain serenewarrior.nl will have to fix the problem. You can contact the serenewarrior.nl postmaster and tell them about the error message you received.

Lynn
  • 1
  • 1

2 Answers2

3

The SPF record for your domain is not set correctly. You need to fix that with your domain registrar's control panel, not in the Gmail settings. It currently is:

serenewarrior.nl. IN TXT "v=spf1 a mx ip4:185.182.56.13 a:spf.spamexperts.axc.nl a:mail-wm0-f47.google.com a:mail-wm0-f51.google.com -all"

To use your own domain with Gmail / G Suite you need to follow the instruction found here: https://support.google.com/a/answer/33786?hl=en

The most relevant instruction from that help page is that in the SPF record for your domain you need to authorise Gmail's servers to send email on your behalf by adding include:_spf.google.com rather than the specific google.com servers (a:mail-wm0-f47.google.com a:mail-wm0-f51.google.com) you have currently listed.

HBruijn
  • 77,029
  • 24
  • 135
  • 201
1

Following HBruijn's answer you can get mail from Gmail pass SPF. But that's not the only thing that may cause problems, like the error reported by the openspf.org/Why:

The domain serenewarrior.nl has published an SPF policy, however, an error occurred while the receiving mail server tried to evaluate the policy:

Maximum void DNS look-ups limit (2) exceeded.

Let's investigate your current SPF policy a little, piece by piece with the additional DNS lookups made. 

"v=spf1 a mx ip4:185.182.56.13 a:spf.spamexperts.axc.nl 
 a:mail-wm0-f47.google.com a:mail-wm0-f51.google.com -all"

  1. Only ip4 and -all can be directly evaluated from the SPF policy record alone. Then...

  2. a causes an additional lookup for serenewarrior.nl. IN A (or AAAA case this is an IPv6 address).

  3. mx causes an additional lookup for serenewarrior.nl. IN MX, causing steps 4-7.

    serenewarrior.nl.   IN   MX   20 ALT2.ASPMX.L.GOOGLE.COM.
serenewarrior.nl.   IN   MX   10 ASPMX.L.GOOGLE.COM.
serenewarrior.nl.   IN   MX   30 ALT3.ASPMX.L.GOOGLE.COM.
serenewarrior.nl.   IN   MX   30 ALT4.ASPMX.L.GOOGLE.COM.

  4. ALT2.ASPMX.L.GOOGLE.COM. IN A

  5. ASPMX.L.GOOGLE.COM. IN A

  6. ALT3.ASPMX.L.GOOGLE.COM. IN A

  7. ALT4.ASPMX.L.GOOGLE.COM. IN A

  8. a:spf.spamexperts.axc.nl adds spf.spamexperts.axc.nl. IN A (10 addresses, 0 for AAAA).

  9. a:mail-wm0-f47.google.com adds mail-wm0-f47.google.com. IN A (1 address, 0 for AAAA).

  10. a:mail-wm0-f51.google.com adds mail-wm0-f51.google.com. IN A (1 address, 0 for AAAA).

This is why you should use ip4 and ip6 mechanisms whenever possible:

  • a can be replaced using the IP address (serenewarrior.nl. IN A 199.34.228.59)

  • It seems that so-called spam experts doesn't utilize include mechanism that would allow them to use CIDR notation in their SPF records, so this part you cannot change. Listing the IP addresses or blocks would make them unable to update the list. (However, if you don't send mail from their servers, you can remove it. This we can't evaluate for you.)

  • Google doesn't use the same servers for incoming and outgoing mail, so the mx can be removed altogether. This and the rest can be replaced with include:_spf.google.com.

Resulting SPF policy record would be:

"v=spf1 ip4:199.34.228.59 ip4:185.182.56.13 a:spf.spamexperts.axc.nl include:_spf.google.com -all"

This does one nested lookup for a:spf.spamexperts.axc.nl and 4 for Gmail as it has 3 additional includes.

Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129