Join Log in
Score:0
St4rb0y avatar Server

SPF record not getting recognized for mail server domain?

pr flag
St4rb0y

I'm currently attempting to setup a mail server on Debian. So far I've installed postfix and opendkim. I've also configured an FQDN, rDNS, DKIM, DMARC, and SPF, but the latter doesn't work somehow.

An SPF record for mydomain.net gets recognized, when I run an online test (e.g. mxtoolbox.com, appmaildev.com), but not for myhostname.mydomain.net (which is from where the mail gets sent). Both DKIM and DMARC test fine. myhostname.mydomain.net has A/AAAA records, as well as a MX record. Sending mail via the mail command also works flawlessly. It arrives and doesn't end up in the Spam folder.

The FQDN was setup as 127.0.1.1 myhostname.mydomain.net myhostname in "/etc/hosts".

The SPF TXT record looks like this: v=spf1 mx a:myhostname.mydomain.net -all

Here's my "/etc/postfix/main.cf":

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
myhostname = myhostname.mydomain.net

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all

# Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters

The opendkim keys were generated for mydomain.net, not myhostname.mydomain.net, but that seems to check out fine.

My DMARC TXT record is as follows: v=DMARC1; p=reject; rua=mailto:[email protected]; fo=1

What am I overlooking here?

138
2 + 1
spf
jp flag
Esa Jokinen
As a side note, for all these technologies to work they need to be implemented by both the sender and the receiver. Your current configuration does not implement SPF and DMARC for incoming mail; you could use policyd-spf & OpenDMARC.
0
Reply
Score:2
avatar Server
us flag
glts

Generally, you should set up an SPF record

  • for each domain you intend to send mail from (the domain name that appears in the MAIL FROM:<[email protected]> SMTP command); RFC 7208, 2.4
  • optionally, for each mail host that you intend to send mail from (the domain name that appears in the EHLO myhostname.mydomain.net SMTP command); RFC 7208, 2.3

You are already all set with your installation of record v=spf1 mx a:myhostname.mydomain.net -all at domain mydomain.net. All good!

Optionally (recommended), you could also install a record v=spf1 a -all at domain myhostname.mydomain.net, but this isn’t strictly necessary.

+ 2
St4rb0y avatar
pr flag
St4rb0y
Thank you. Where can I find what's stored in MAIL FROM and EHLO?
0
Reply
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
EHLO your server is using you can see as `postconf -xh smtp_helo_name`. Mail from is whatever your mail client specified in `MAIL FROM:` during SMTP session, it is not a configuration setting.
1
Reply
Score:1
joeqwerty avatar Server
cv flag
joeqwerty

An SPF record for mydomain.net gets recognized, when I run an online test (e.g. mxtoolbox.com, appmaildev.com), but not for myhostname.mydomain.net (which is from where the mail gets sent).

That's the expected result. The SPF record is for the domain, not your email host.

Your SPF record essentially states "myhostname.mydomain.net is authorized to send email for the domain mydomain.net.

So, you validated the SPF record for your domain. Good. You don't validate the SPF record for your email host name.

+ 4
St4rb0y avatar
pr flag
St4rb0y
Thanks, would it make sense to change it to `v=spf1 mx a:mydomain.net -all`, since it should validate all mail sent from that domain? I'm currently trying to figure out how to set `[email protected]` addresses up, instead of `[email protected]`.
0
Reply
jp flag
Esa Jokinen
This answer misses [RFC 7208, 2.3](https://www.rfc-editor.org/rfc/rfc7208#section-2.3) *"HELO" Identity*.
0
Reply
joeqwerty avatar
cv flag
joeqwerty
@EsaJokinen Thanks. My assumption was that the OP created an SPF record for the domain **myhostname.mydomain.net** rather than adding **myhostname.mydomain.net** to the SPF record for the domain **mydomain.net**... if I understood the question correctly. In that case I think I'm correct but I certainly value and appreciate your insight.
0
Reply
jp flag
Esa Jokinen
This answer is not wrong by any means. The other answer is just a bit more complete. :)
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.