Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [spf]

Sender Policy Framework is a standard by which the owner of a domain uses a specially formed DNS record to advertise which hosts are authorized to send email for the domain.

Sender Policy Framework (SPF) is a technique to prevent e-mail sender address forgery. With SPF system administrators add information about allowed senders for particular domain in a DNS server's TXT and/or SPF record.

Please have a look at the canonical question What are SPF records and how do I configure them.

869 questions
13
votes
2 answers

What does dis=NONE mean in an email's Authentication-Results header?

The following is from an email I received recently: Authentication-Results: mx.google.com; spf=neutral; dkim=pass header.i=@yahoo.com; dmarc=pass (p=REJECT dis=NONE) header.from=yahoo.com I've been reading about SPF, DKIM, and…
Alex Henrie
  • 244
  • 1
  • 2
  • 8
13
votes
2 answers

What does this mean: v=spf1 include:_spf.google.com ~all?

In addition to my previous question, what does this DNS entry mean: v=spf1 include:_spf.google.com ~all ?
poseid
  • 559
  • 4
  • 10
  • 20
13
votes
1 answer

Change Envelope From to match From header in Postfix

I am using Postfix as a gateway for my domain and need it to change or rewrite the Envelope From address to match the From header. For example, the From: header is "joe@domainA.org" and the Envelope From is "bob@domainB.com". I want Postfix to make…
lid
  • 265
  • 2
  • 7
13
votes
4 answers

set Google Apps SPF record in Amazon AWS Route 53

I'm using the new AWS GUI for Route 53 to setup my domain records. However, the AWS console won't accept the recommended Google Apps SPF record, v=spf1 include:_spf.google.com ~all (found here). It keeps giving me an error stating The record set…
user101289
  • 297
  • 1
  • 3
  • 12
13
votes
3 answers

SPF/DKIM/DMARC for Gmail "Send mail as" via smtp.gmail.com on external domain

Since "Google Apps" / "Google Apps for business" / "G-Suite" / "Google Workspaces" free tier is being discontinued, I need a solution to migrate my ~30 extended family to a sustainable solution. I'm looking at the option of having them each…
Ozzah
  • 239
  • 2
  • 3
12
votes
3 answers

DMARC Alignment: Enforce messages pass BOTH SPF and DKIM

Is there a way to enforce DMARC to fail/reject mail that doesn't pass BOTH DKIM and SPF? We have been narrowing the number that are failing, but there are some domains in our aggregate (rua) report that are passing just DKIM and we would rather that…
Noah Hall-Potvin
  • 121
  • 1
  • 3
12
votes
2 answers

Office365 SPF record has too many lookups

For some utterly ridiculous administrative reasons we've got a split domain with one mailbox on Office365 which requires us to add include:outlook.com to our SPF record. The problem with this is that that rule alone requires nine DNS lookups of the…
Sammitch
  • 2,111
  • 1
  • 21
  • 35
12
votes
7 answers

Are SPF needed for domains that do not send mails and do not have MX record?

I have some domains registered that do not send mails. I have totally removed MX record for these domains on my DNS. Is it still useful to set an SPF record in order to avoid spammer to send mails as these domains? I read here that for domains that…
Marco Demaio
  • 590
  • 1
  • 8
  • 23
11
votes
4 answers

Why is my opendmarc failing pretty much everything that comes through?

I have this domain for which I set up SPF, DKIM, and DMARC stuff. Let's pretend the domain is example.com which has the following entries in its DNS zone: example.com. 600 IN MX 1 mail.morpheu5.net. example.com. …
Morpheu5
  • 259
  • 4
  • 18
11
votes
1 answer

Why don't my domain's messages to a google group get their headers rewritten so DMARC can pass?

Whenever my domain sends a message to a google group on another domain the DMARC alignment fails. This is true for all my approved senders, even using Gmail in my domain. It seems to be because the Return-Path (Envelope From) header is replaced by…
lordbyron
  • 351
  • 2
  • 9
11
votes
1 answer

SPF softfail domain does not designate IP as permitted sender

I use both mailgun and a namecheap mail server (where I also have my domain) and when I receive mails in my gmail account, mailgun is recognized as a permitted sender, but that's not the case of namecheap. That's what I get: Received-SPF: softfail…
muilpp
  • 349
  • 1
  • 2
  • 11
11
votes
3 answers

Failed SPF for email imported to Gmail because of client IP instead of server's in message when sent through SMTP from one local box to another

We have a linux (Debian) VPS with domain (let's say example.com with MX mail.example.com) that has SPF set up. There is dovecot+exim running. There is also Direct Admin on top of that. When I send a mail to foreign server then everything is fine.…
Zbyszek
  • 175
  • 1
  • 10
11
votes
1 answer

What is the difference between -all and ~all in a DNS SPF record?

I've found that our current DNS SPF record uses the ~all keyword, but in most examples I've seen -all used. What's the difference between the two?
STW
  • 1,000
  • 2
  • 7
  • 25
11
votes
1 answer

Why is Google rejecting mails forwarded from my Postfix server?

I've set up Postfix and created an alias that maps to a gmail account. When I mail from one of my own (google mail) accounts, it goes through, but if someone from the outside mails me, Google won't accept the mail from my server. The logs something…
troelskn
  • 229
  • 1
  • 2
  • 11
11
votes
3 answers

Gmail rejects emails. Openspf.net fails the tests

I've got a problem with Gmail. It started after one of our trojan infected PCs sent spam for one day from our IP address. We've fixed the problem, but we got into 3 black lists. We've fixed that, too. But still every time we send an email to Gmail…
pablomedok
  • 133
  • 1
  • 11
1 2
3
57 58