[SOLVED] SPF record woes

5 posts / 0 new
Last post
#1 Wed, 10/28/2015 - 09:59
Beluga

[SOLVED] SPF record woes

I'm having trouble getting my SPF and DKIM records to be discovered, but I'll let this be about SPF to keep things simple.

My server is a Kimsufi, from OVH Hosting. BIND was set up by Virtualmin and later I only added a PTR record (works fine) and SPF + DKIM.

So far, http://dkimvalidator.com/ provided the best clue (I anonymized my domain infos):

Helo Address = ns000000.ip-000-000-000.eu From Address = admin@mydomain.com From IP = 000.000.000.000 SPF Record Lookup

Looking up TXT SPF record for mydomain.com Found the following namesevers for mydomain.com: ns000000.ip-000-000-000.eu ns.kimsufi.com Retrieved this SPF Record: zone updated 20151027 (TTL = 21599) using authoritative server (ns000000.ip-000-000-000.eu) directly for SPF Check Result: none (No applicable sender policy available)

Result code: none Local Explanation: mydomain.com: No applicable sender policy available spf_header = Received-SPF: none (mydomain.com: No applicable sender policy available) receiver=dkimvalidator.com; identity=mailfrom; envelope-from="admin@mydomain.com"; helo=ns000000.ip-000-000-000.eu; client-ip=000.000.000.000

This is making me think the SPF record is fetched from somewhere else than my nameserver: Retrieved this SPF Record: zone updated 20151027

OVH support confirmed that ns.kimsufi.com is a slave replicating its information from my primary name server. They said I should ignore what stuff is in the OVH control panel (even though I had copied the same records there to make sure). My domain is not registered through OVH.

My SPF record is defined in /etc/bind/zones/db.mydomain.com as:

mydomain.com. IN TXT "v=spf1 a mx a:mydomain.com mx:mydomain.com ip4:000.000.000.000 ip6:0000:0000:0:0000::1 include:mydomain.com ?all"

This validator says the syntax is fine: http://vamsoft.com/support/tools/spf-syntax-validator

Why does the dkimvalidator say my SPF Record is "zone updated 20151027?" How can I debug this mess?

I've tried for almost 2 weeks and by now my syntax and settings for both SPF and DKIM should be perfect, but it seems they are not even being transmitted!

I've set $TTL 300 temporarily so I should now be able to test changes faster.

http://www.intodns.com/ gives me good results. The only error besides SPF & DKIM is: ERROR: One or more of your nameservers did not respond: The ones that did not respond are: 000.000.000.000

That is the IP of the server, but I don't have an NS defined with purely the IP.. The DNSreport here does not give such an error: http://www.dnsstuff.com/tools

Wed, 10/28/2015 - 19:08
Diabolico
Diabolico's picture

Its hard to see where is the problem not knowing the domain and what is inside your zone file but you can use https://www.unlocktheinbox.com/resources/emailauthentication/ and check by yourself what is wrong.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Thu, 10/29/2015 - 05:53
Beluga

Thanks, that unlocktheinbox was better than anything I've tried so far.

This caught my eye: Authoritative DNS Server (SOA) Check for: mydomain.com SOA Server Results ns000000.ip-000-000-000.eu Failed - No Results Returned, Using Public DNS to perform lookups.

What could I do about that problem? I think it is the cause of this.

Should I try changing completely to OVH's DNSes: dns106.ovh.net. ns106.ovh.net.

Instead of the current ones: ns000000.ip-000-000-000.eu ns.kimsufi.com

My zone file apart from the SPF and DKIM records is:

$TTL 300
;$TTL 86400
mydomain.com. IN      SOA     ns000000.ip-000-000-000.eu. hostmaster.mydomain.com. (
                        2013121226
                        28800
                        3600
                        604800
                        86400 )
mydomain.com.    IN     NS   ns000000.ip-000-000-000.eu.
mydomain.com.    IN     NS   ns.kimsufi.com.
mydomain.com.    IN     A    000.000.000.000
www             IN     A    000.000.000.000
mydomain.com. IN      MX      5 ns000000.ip-000-000-000.eu.

Edit: ok, I got a confirmation from OVH that my own ns does not return the SOA field, so it is fetched from ns.kimsufi.com. How could I make it work?

Edit2: I have this reverse zone:

/etc/bind/zones/rev.000.000.000.000.in-addr.arpa
@ IN      SOA     mydomain.com. hostmaster.mydomain.com. (
                        2013121217;
                        28800;
                        604800;
                        604800;
                        86400 );
IN     NS   ns000000.ip-000-000-000.eu.
77 IN PTR mydomain.com.
Thu, 10/29/2015 - 06:46
Diabolico
Diabolico's picture

This is one example how fully working zone file looks:

$ttl 3600s
@ IN SOA ns1.mydomain.com. postmaster.mydomain.com. (
2015043068
3600
900
1209600
3600 )
@ IN NS ns1.mydomain.com.
@ IN NS ns2.mydomain.com.
mydomain.com. IN A 111.111.111.111
www.mydomain.com. IN A 111.111.111.111
ftp.mydomain.com. IN A 111.111.111.111
m.mydomain.com. IN A 111.111.111.111
ns1.mydomain.com. IN A 111.111.111.111
ns2.mydomain.com. IN A 111.111.111.111
localhost.mydomain.com. IN A 127.0.0.1
leeroy.mydomain.com. IN A 111.111.111.111
webmail.mydomain.com. IN A 111.111.111.111
admin.mydomain.com. IN A 111.111.111.111
mail.mydomain.com. IN A 111.111.111.111
mydomain.com. IN MX 5 mail.mydomain.com.
mydomain.com. IN TXT "v=spf1 a mx a:mydomain.com mx:mydomain.com ip4:111.111.111.111 -all"
mydomain.com. IN SPF "v=spf1 a mx a:mydomain.com mx:mydomain.com ip4:111.111.111.111 -all"
_dmarc.mydomain.com. IN TXT "v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; rua=mailto:postmaster@mydomain.com; ruf=mailto:postmaster@mydomain.com; rf=afrf; pct=100; ri=86400"
_adsp._domainkey.mydomain.com. IN TXT dkim=all
mail._domainkey.mydomain.com. IN TXT ( "v=DKIM1; k=rsa; s=email; " "p=...really long code..." )

You cant just copy this and change with your details because there is a big chance something will not work but is enough good to give you an idea how should look. rDNS can be set from server control panel or by asking your provider to set it for you but you cant do this from Virtualmin/Webmin.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Tue, 11/03/2015 - 10:00
Beluga

Got help from an acquaintance and now it works! The most important change: both of the nameservers are now OVH's own (ns106.ovh.net & dns106.ovh.net).

Topic locked