8

I'm using phpMailer on a Linode server. The DNS records are set to allow sending through the gmail mail server which is hosing my mail account membership@oiyc.org. I just added DKIM to try to get the SPF rating up. The DKIM apparently is fine but I still get SPF Neutral.

The sender set up is:

        $mail = new PHPMailer();
        $mail->isSMTP();
        $mail->SMTPKeepAlive = true;
        $mail->SMTPAuth   = true;
        $mail->SMTPSecure = "tls";                 // sets the prefix to the server
        $mail->Host       = "smtp.gmail.com";      // sets GMAIL as the SMTP server
        $mail->Port       = 587;                   // set the SMTP port
        $mail->Username   = "membership@oiyc.org";  // GMAIL username
        $mail->Password   = "*******************";            // GMAIL password
        $mail->isHTML(true); // send as HTML
        $mail->WordWrap   = 100; // set word wrap
        $mail->Sender = "membership@oiyc.org";
        $mail->addReplyTo($_SESSION['se-reply'],$_SESSION['se-from']);
        $mail->setFrom($_SESSION['se-reply'],$_SESSION['se-from']);

        $mail->DKIM_domain = "oiyc.org";
        $mail->DKIM_private = "*********/rsa.private"; //path to file on the disk.
        $mail->DKIM_selector = "mainkey";// change this to whatever you set during step 2
        $mail->DKIM_passphrase = "";
        $mail->DKIM_identity = $mail->Sender;

Here is the source received from an email sent through my linode server.

            Delivered-To: ********@gmail.com
            Received: by 10.46.25.85 with SMTP id p82csp1388830lje;
                Sun, 4 Feb 2018 11:11:56 -0800 (PST)
            X-Received: by 10.98.196.204 with SMTP id h73mr11556131pfk.143.1517771515865;
                Sun, 04 Feb 2018 11:11:55 -0800 (PST)
            ARC-Seal: i=1; a=rsa-sha256; t=1517771515; cv=none;
                d=google.com; s=arc-20160816;
                b=*****
                qrIA==
            ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
                h=content-transfer-encoding:mime-version:list-unsubscribe:message-id
                :subject:reply-to:to:date:from:dkim-signature
                :arc-authentication-results;
                bh=ptVvqh2PiSco0+Kb7wjBXHUijnbEm43LU4E+zStVvb0=;
                b=********
                iuTg==
            ARC-Authentication-Results: i=1; mx.google.com;
                dkim=pass header.i=@oiyc-org.20150623.gappssmtp.com header.s=20150623 header.b=ytsz7YWm;
                spf=neutral (google.com: 209.85.220.41 is neither permitted nor denied by best guess record for domain of membership@oiyc.org) smtp.mailfrom=membership@oiyc.org
            Return-Path: <membership@oiyc.org>
            Received: from mail-sor-f41.google.com (mail-sor-f41.google.com. [209.85.220.41])
                by mx.google.com with SMTPS id i3sor1037208pgs.91.2018.02.04.11.11.55
                for <********@gmail.com>
                (Google Transport Security);
                Sun, 04 Feb 2018 11:11:55 -0800 (PST)
            Received-SPF: neutral (google.com: 209.85.220.41 is neither permitted nor denied by best guess record for domain of membership@oiyc.org) client-ip=209.85.220.41;
            Authentication-Results: mx.google.com;
                dkim=pass header.i=@oiyc-org.20150623.gappssmtp.com header.s=20150623 header.b=ytsz7YWm;
                spf=neutral (google.com: 209.85.220.41 is neither permitted nor denied by best guess record for domain of membership@oiyc.org) smtp.mailfrom=membership@oiyc.org
            DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
                d=oiyc-org.20150623.gappssmtp.com; s=20150623;
                h=from:date:to:reply-to:subject:message-id:list-unsubscribe
                :mime-version:content-transfer-encoding;
                bh=ptVvqh2PiSco0+Kb7wjBXHUijnbEm43LU4E+zStVvb0=;
                b=*********
            SsBA==
            X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
                d=1e100.net; s=20161025;
                h=x-gm-message-state:from:date:to:reply-to:subject:message-id
                :list-unsubscribe:mime-version:content-transfer-encoding;
                bh=ptVvqh2PiSco0+Kb7wjBXHUijnbEm43LU4E+zStVvb0=;
                b=*************
                r+zA==
            X-Gm-Message-State: AKwxytcQCxD/95gmJfS/DyCC4XOh8K3K+Jj9QONeHmVyCH5ebJDtxvIl tQwyBjpS9etVQopYODbtnZZ2Kw0k1Pc=
            X-Google-Smtp-Source: AH8x227kdTn+9Ee7QoJFUYDPq/ax7LmKHzsDAtCNr/5cL0MidmAB3GWuEw4RU28Zb3jl8Kx0uAnegw==
            X-Received: by 10.99.96.80 with SMTP id u77mr6305435pgb.401.1517771515191;
            Sun, 04 Feb 2018 11:11:55 -0800 (PST)
            Return-Path: <membership@oiyc.org>
            Received: from oiyc.org ([2600:3c01::f03c:91ff:fe56:5129])
                by smtp.gmail.com with ESMTPSA id m65sm14046167pfc.150.2018.02.04.11.11.54
                for <********@gmail.com>
                (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
                Sun, 04 Feb 2018 11:11:54 -0800 (PST)
            From: Bob Brunius <membership@oiyc.org>
            X-Google-Original-From: Bob Brunius <********@gmail.com>
            Date: Sun, 4 Feb 2018 11:11:53 -0800
            To: ********@gmail.com
            Reply-To: Bob Brunius <********@gmail.com>
            Subject: A different sort of test 123d
            Message-ID: <MR3sDgtyN4siuc2vYCZLxL34VuLFlexvK0WbbcEH7FA@oiyc.org>
            X-Mailer: PHPMailer 6.0.3 (https://github.com/PHPMailer/PHPMailer)
            List-Unsubscribe: <information@oiyc.org>, <https://oiyc.org/membershipDatabaseForms/unsubscribe.php?email=********@gmail.com&member=242>
            MIME-Version: 1.0
            Content-Type: multipart/alternative; boundary="b1_MR3sDgtyN4siuc2vYCZLxL34VuLFlexvK0WbbcEH7FA"
            Content-Transfer-Encoding: 8bit

            --b1_MR3sDgtyN4siuc2vYCZLxL34VuLFlexvK0WbbcEH7FA
            Content-Type: text/plain; charset=us-ascii

            Hello 12345678-abcd

            --b1_MR3sDgtyN4siuc2vYCZLxL34VuLFlexvK0WbbcEH7FA
            Content-Type: text/html; charset=us-ascii

            <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
            <html>
            <body>
            Hello 12345678-abcd
            </body>
            </html>
            --b1_MR3sDgtyN4siuc2vYCZLxL34VuLFlexvK0WbbcEH7FA--
Bob Brunius
  • 1,344
  • 5
  • 14
  • 21

4 Answers4

4

Currently your SPF record is published in your DNS as...

"v=spf1 include:_spf.google.com include:oiyc.org ~all"

which has an include:oiyc.org recursively referencing itself. This is technically incorrect, but strangely may work if the preceding mechanism include:_spf.google.com is satisfied and returns a result to the SPF query. Therafter the include:oiyc.org mechanism will cause the lookup to fail, so the ~all mechanism would never be processed.

The include: mechanism is intended to reference an externally published set of SPF details, usually at a different domain.

I suspect that you intended to reference the IP address of your own domain, presumably defined in DNS as an A record for the bare domain name, in which case you would us the mechanism a:oiyc.org which can itself be shortened to just a

So your resulting TXT record might be something like...

"v=spf1 include:_spf.google.com a ~all"

Gavin Jackson
  • 1,907
  • 1
  • 22
  • 28
2

There is no connection between using DKIM and SPF.

From the log:

Received-SPF: neutral (google.com: 209.85.220.41 is neither permitted nor denied by best guess record for domain of membership@oiyc.org) client-ip=209.85.220.41;

When checking for the SPF record, this happens:

$ host -t TXT oiyc.org
oiyc.org has no TXT record

This means, you haven't set up any SPF rules. Therefore, there cannot be a SPF check. As the message states, there is no reason to have anything other than neutral.

This also applies to ARC-Authentication-Results and Authentication-Results headers.

rollstuhlfahrer
  • 3,988
  • 9
  • 25
  • 38
  • SPF? Under DNS TXT for google: v=spf1 include:_spf.google.com ~all – Bob Brunius Feb 04 '18 at 20:22
  • I added oiyc.org to the TXT records but I'm not sure of the correct entry.. v=spf1 include:_spf.google.com include:oiyc.org ~all – Bob Brunius Feb 04 '18 at 20:25
  • I am not able to manually verify SPF records, but there may be online tools for that. Given that, I can only link to the [documentation](http://www.openspf.org/SPF_Record_Syntax). So if the answer satisfies your question, may I kindly ask you to accept it? – rollstuhlfahrer Feb 04 '18 at 21:33
  • I have read the documentation which is very sketchy. I've tried a bunch of stuff and nothing makes it work. Something conflicting with what I need to allow gmail to process the email and having the domain name show in the TXT record. – Bob Brunius Feb 05 '18 at 04:35
  • @bob You neeed to remove _include:oiyc.org_ , and probably use something like _v=spf1 include:_spf.google.com a ~all_ , see my answer above for explanation. – Gavin Jackson Jun 14 '18 at 07:24
1

The SPF that was supposed to add for the current IP listed is

@ TXT "v=spf1 a ip4:209.85.220.41 ~all"

visit this link to create and the SPF : https://mxtoolbox.com/SPFRecordGenerator.aspx

althaf a s
  • 71
  • 6
0

It has been a while since this post. But in case this helps anyone. If you already have your MX record set as Google you don't need to repeat it in your SPF. So this will be sufficient: v=spf1 mx ~all. But then I received a softfail error: softfail (google.com: domain of transitioning a@d.c does not designate xxx.xx.xx.xx as permitted sender)

Adding the ip4 addresses to the TXT record fixed that error too and I received a pass. These were the 2 Google IPs that appeared on my errors, so I added them to the permitted list.

v=spf1 mx ip4:209.85.220.41 ip4:209.85.220.65 ~all

P.S. If you already have a TXT record, the spf value can be added in a new line within the same TXT record.

omufeed
  • 144
  • 5