I have trouble with some SPF records.
v=spf1 mx a ptr a: vmh37.fastmag.fr include: fastmag.fr include:_spf.google.com ~all
Here is my record. It's working well, but there is one kind of mails (#sfr.fr) that does not receive my emails. (it is a GMAIL domain).
The problem seams to be here since 2019 and not solved by SFR (they have many complaints). There is a solution I found (the only one that works apparently) which is to have a record including only gmail:
v=spf1 include:_spf.google.com ~all
would it be ok if I split my TXT spf in 2 different ones like this?
v=spf1 mx a ptr a: vmh37.fastmag.fr include: fastmag.fr ~all
v=spf1 include:_spf.google.com ~all
Thanks a lot for your help!
No, you can't split them; you can only have one SPF record. Combine them like this:
v=spf1 mx a ptr a:vmh37.fastmag.fr include:fastmag.fr include:_spf.google.com ~all
I have an SFR account too, and their mail service is horribly slow and unreliable!
Related
I'm not sure what qualifier I should be using when trying to combine SPF records.
I know there are plenty of other questions on StackOverflow in regards to what combined SPF record is correct but there isn't one that I can find that explains clearly why a certain qualifier should be used when there are different qualifiers suggested by various services.
My current record looks like:
v=spf1 +a +mx +ip4:111.222.333.444 include:_spf.google.com ~all include:servers.mcsv.net ?all include:mailgun.org ~all
Google's SPF record is:
include:_spf.google.com ~all
Mailchimp's SPF record is:
include:servers.mcsv.net ?all
Mailgun's SPF record is:
include:mailgun.org ~all
How am I supposed to decide what qualifier to use out of +all, -all, ~all and ?all?
What one out of the following is correct?
v=spf1 +a +mx +ip4:111.222.333.444 include:_spf.google.com include:servers.mcsv.net include:mailgun.org ~all
v=spf1 +a +mx +ip4:111.222.333.444 include:_spf.google.com include:servers.mcsv.net include:mailgun.org ?all
v=spf1 +a +mx +ip4:111.222.333.444 include:_spf.google.com include:servers.mcsv.net include:mailgun.org +all
v=spf1 +a +mx +ip4:111.222.333.444 include:_spf.google.com include:servers.mcsv.net include:mailgun.org -all
MX & A
The same question goes to the use of +a and +mx do I need to include those too?
What about +'s?
Do I need to include the + before +a, +mx and +ip4
Bare in mind we send emails through Mailchimp, MailGun, Google & via the server.
Your current record doesn't make sense. Rules are evaluated left to right, so your default (all) mechanism should always be last.
When you include an external SPF record, any all action it contains is effectively ignored (because it gets overridden by your own later directives).
MailChimp's record is dumb (quelle surprise); ?all is equivalent to not having an SPF record at all, but it makes no difference in this case.
Literal IP mechanisms are fastest because they require no DNS lookups to check, so it's considered polite to put them first.
You don't need + in front of mechanisms as that's the default qualifier.
The a mechanism means "allow the IP returned by the A record for this host". Similarly, mx means "allow sending from any IP that is also a mail exchanger (mail server) for this domain". If those are true, add them. I recommend putting these before any include mechanisms because they only require a single DNS lookup, and they're quite likely to be already cached by receivers anyway.
You should never use +all; it's actively bad as it gives all sources a positive pass result, which is worse than having no SPF record. ?all is the same as not having an SPF so you shouldn't use that either.
If you're also using DMARC, you should use ~all; if you're not, use -all. The reason for that is that SPF rules are evaluated before DMARC, and -all will cause immediate termination before DMARC gets a chance to do its thing. DMARC can then be configured to reject anything that gets a softfail, and its reporting mechanisms can do what they are meant to do.
I'd recommend this record if you're using DMARC, and the same but -all if you're not:
v=spf1 ip4:111.222.333.444 a mx include:_spf.google.com include:servers.mcsv.net include:mailgun.org ~all
Whatever you end up with, check it on Scott Kitterman's validator.
I created SPF record for my domain like:
v=spf1 include:%{i}._ip.%{h}._ehlo.%{d}._spf.example.com ~all
Now I want to send mail from ip: 192.0.2.123 and 198.51.100.234, and domain xyz.example
My SPF record will work like this:
192.0.2.123._ip.ehlo._ehlo.xyz.example._spf.example.com
198.51.100.234._ip.ehlo._ehlo.xyz.example._spf.example.com
Will I need to create 2(multiple) different DNS records in example.com or it will work in a single DNS?
If it works in a 1 DNS record lookup then please let me know how.
Since your macros generate DNS names that are used for include, yes, each will need a corresponding TXT record. You could possibly match a single record by using a wildcard, along the lines of *._ip.ehlo._ehlo.xyz.example._spf.example.com, but that would undermine the point of having the macro in the first place. I'm curious why you would need such a fine-grained structure that can't be generalised.
I am trying to validate multiple SPF record but it is not validating.
v=spf1 include:mailgun.org +a +mx include:marketheroSPF.smtp.com ?all
I tested it with mxtoolbox and it gives me passed status
v version spf1 The SPF record version
+ include mailgun.org Pass The specified domain is searched for an 'allow'.
+ a Pass Match if IP has a DNS 'A' record in given domain
+ mx Pass Match if IP is one of the MX hosts for given domain name
+ include marketheroSPF.smtp.com Pass The specified domain is searched for an 'allow'.
? all Neutral Always matches. It goes at the end of your record.
However the platform told me that my SPF record is not valid so I am wondering if my TXT record is in wrong format or they platform just does not know how to read multiple SPF format.
Following the official syntax guideline, try this one out.
v=spf1 a mx include:mailgun.org include:marketheroSPF.smtp.com ?all
The order matters and maybe the included records are malformed (expecially the second one). If this linked record have a leading 0, this could be one of the issues.
Depending on the parser the + in front of a and mx may cause errors since the default qualifier is already "+", i.e. "Pass".
Otherwise please provide more details. Hope that helps :)
I've got a wildcard CNAME record defined on my domain (*.mydomain.com)
So, a user at foo.mydomain.com would resolve correctly.
I then went and defined a specific MX record: foo.mydomain.com and pointed that to a mail server
This seems to have caused the wildcard CNAME to break for that domain and not resolve. I would assume that CNAME wildcards are isolated from MX Records, but my test appears to show otherwise.
Do MX Records cause wildcard CNAME queries with the same subdomain to not get resolved?
The record types involved actually don't matter here. What does matter is that if a name explicitly exists, a wildcard record will not be looked for. One way, and by far the most common way, for a name to explicitly exist is for it to have a record of some kind. An MX record, for example. Once that record is there, any queries for that name will either get a response with the MX record (possibly with accompanying DNSSEC records, but let's ignore that for now) in question, or a response saying "The name exists, but it doesn't have a record of the type you asked for".
A wildcard entry is only used for names that do not exist at all. What you want here, to have a wildcard record "fill in" records in existing names, is not ordinarily possible in DNS. It wouldn't be impossible to write a specific name server software that did it, of course, but the resulting semantics would be rather hideous.
Please help me in understanding the below DNS issue. This is regarding SIP interaction with DNS.
When a DNS query is made to a domain (say abc.com) and we are returned two NAPTR RR responses.
abc.com IN NAPTR 20 30 "s" "SIP+D2U" "" _sip._udp.myabc
abc.com IN NAPTR 20 20 "s" "SIP+D2U" "" _sip._udp.myxyz
Now one of the record will be given preference and selected. If the record which is selected (say _sip._udp.myabc) has failed (network not reachable) then should the second record also be tried? Or we will look for the backup of the first one?
RR - Resource Record.
Please answer and/or share the link which has any information regarding this.
Below is the answer I have received from an off forum discussion (with colleague).
The DNS discovery proceeds as -
1 - First one of the NAPTR record will be selected (based on preference rules).
2 - For this NAPTR record we will do an SRV query.
3 - Now each record in the SRV response will be tried one by one untill we receives a positive response.
Please correct if wrong.