I am having some difficulties with SPF. When I sent an e-mail from [email protected] to [email protected] then the e-mail will go through a Barracuda Spam Firewall. From there it is delivered to a server that runs SpamAssassin. I am sending the e-mail via s1.gigabitjes.nl. I guess the problem has to do with the HELO. But I am not sure how I can workaround this with my setup. For ict-diensten.com I have the following SPF record: Code: dig +short TXT ict-diensten.com. "v=spf1 a:s1.gigabitjes.nl a:ict-diensten.com include:_spf.s1.gigabitjes.nl -all" The include is as follows: Code: dig +short TXT _spf.s1.gigabitjes.nl "v=spf1 ip4:136.144.206.44 ip4:185.216.163.104/29 ip6:2a01:7c8:d001::/48 ip6:2001:470:1f15:73::/64 ~all" The e-mail is being received with the following added to the subject: [SPAM? SPF FAIL?] The source of the received e-mail is to be found below. I am hoping someone could please help me with this. Thank you. Code: Return-Path: <[email protected]> Delivered-To: [email protected] Received: (qmail 3447 invoked by alias); 20 Oct 2020 18:41:07 -0000 Delivered-To: [email protected] Received: (qmail 3444 invoked by uid 453); 20 Oct 2020 18:41:07 -0000 X-Spam-Status: No, score=1.3 required=5.0 autolearn=disabled X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on mail.lan.okepc.nl X-Spam-Details: * 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record * 0.9 SPF_FAIL SPF: sender does not match SPF record (fail) * 0.0 HTML_MESSAGE BODY: HTML included in message * 0.4 KHOP_HELO_FCRDNS Relay HELO differs from its IP's reverse DNS X-Spam-Level: * X-HELO: cluster02-d.mx-relay.com Authentication-Results: lan.okepc.nl; auth=none; spf=fail smtp.mailfrom=ict-diensten.com; dkim=none; dmarc=fail (p=reject) d=ict-diensten.com Received: from cluster02.mx-relay.com (HELO cluster02-d.mx-relay.com) (5.39.185.34) by lan.okepc.nl (qpsmtpd/0.96) with ESMTPS (ECDHE-RSA-AES256-GCM-SHA384 encrypted); Tue, 20 Oct 2020 20:41:02 +0200 Received-SPF: fail (ict-diensten.com: Sender is not authorized by default to use '[email protected]' in 'mfrom' identity (mechanism '-all' matched)) receiver=mail.lan.okepc.nl; identity=mailfrom; envelope-from="[email protected]"; helo=cluster02-d.mx-relay.com; client-ip=5.39.185.34 X-ASG-Debug-ID: 1603219257-0a33d657a7358990001-9MViKJ Received: from s1.gigabitjes.nl (s1.gigabitjes.nl [136.144.206.44]) by cluster02-d.mx-relay.com with ESMTP id ATIhfQrmD34KMl5A (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for <[email protected]>; Tue, 20 Oct 2020 20:40:57 +0200 (CEST) X-Barracuda-Envelope-From: [email protected] X-Barracuda-Effective-Source-IP: s1.gigabitjes.nl[136.144.206.44] X-Barracuda-Apparent-Source-IP: 136.144.206.44 Received: from s1.gigabitjes.nl (localhost [IPv6:::1]) by s1.gigabitjes.nl (Postfix) with ESMTP id D0E7F1A31CE for <[email protected]>; Tue, 20 Oct 2020 20:40:54 +0200 (CEST) MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_e5b01c6d4144415d0c1bc16d864eedb6" Date: Tue, 20 Oct 2020 20:40:54 +0200 From: "Bouke J. Henstra | ICT Diensten" <[email protected]> To: [email protected] Subject: [SPAM? SPF FAIL?] Nog een test na aanpassing SPF Organization: Henstra ICT Diensten X-ASG-Orig-Subj: Nog een test na aanpassing SPF Message-ID: <[email protected]> X-Sender: [email protected] User-Agent: Roundcube Webmail/1.3.15 X-Barracuda-Connect: s1.gigabitjes.nl[136.144.206.44] X-Barracuda-Start-Time: 1603219257 X-Barracuda-Encrypted: TLS_AES_256_GCM_SHA384 X-Barracuda-URL: https://cluster02.mx-relay.com:443/cgi-mod/mark.cgi X-Virus-Scanned: by bsmtpd at mx-relay.com X-Barracuda-Scan-Msg-Size: 709 X-Barracuda-BRTS-Status: 1 X-Barracuda-Spam-Score: 5.00 X-Barracuda-Spam-Status: Yes, SCORE=5.00 using global scores of TAG_LEVEL=5.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=7.0 tests=HTML_MESSAGE, URLBL_FROM_BC X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.85411 Rule breakdown below pts rule name description ---- ---------------------- -------------------------------------------------- 5.00 URLBL_FROM_BC URLBL_FROM_BC [URL: ict-diensten.com] 0.00 HTML_MESSAGE BODY: HTML included in message X-Barracuda-Spam-Flag: YES --=_e5b01c6d4144415d0c1bc16d864eedb6 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII
On a quick look, it seems like mx-relay is sending for your domain, and their IP adresses are not allowed to sent for your domain.
Yes, it does look like that. Actually e-mail is sent to MX-Relay and they pass the e-mail to the addressees mail server. Code: dig +short mx okepc.nl 10 cluster02.mx-relay.com. 50 fallbackdt.mx-relay.com. So, my guess is that SpamAssassin on the addressees e-mail server is mis-configured as it shouldn't check the SPF record - as MX-Relay handles that?
No, your SPF record has to be configured differently. If you want, I can PM you a test email address to send a test mail to so I can double check what exactly goes wrong.
Yes, please. Thank you for the friendly gesture. I did successfully sent e-mails to my gmail.com and hotmail.com e-mail addresses without any issues. It's just oddly not working for okepc.nl for some reasons. But please, PM me and I will send an e-mail to the test address. Thanks.
Just got your email, with a pass on the SPF record. So it's indeed a issues when MX-Relay delivers it to you. You can do 2 things: - Allow MX-Relay to send on behalf of your domain (see their info for this on https://www.mx-relay.com/servers/) - Disable the SPF check on your server / for this domain.
Gotcha! How would the latter option work? Does it mean I have to change the SPF record for ict-diensten.com or is there a magical override option for okepc.nl / mx-relay?
I would personally change the SPF record as I'd trust my spamfilter company I don't know about a override for one domain on the top of my head, except whitelisting it, but even then it's the question which software is doing the SPF check.
Still spam firewall craziness. The SPF checks are looking good now: Code: Received-SPF: pass (ict-diensten.com: Sender is authorized to use '[email protected]' in 'mfrom' identity (mechanism 'include:_spf.s1.gigabitjes.nl' matched)) receiver=mail.lan.okepc.nl; identity=mailfrom; envelope-from="[email protected]"; helo=cluster02-d.mx-relay.com; client-ip=5.39.185.34 Although my e-mails are still being tagged with "[SPAM? SPF FAIL?]" in the subject. Barracuda moans about this: Code: 5.00 URLBL_FROM_BC URLBL_FROM_BC [URL: ict-diensten.com] But there are no URLs in my e-mail at all. I guess I will raise a ticket at MX-Relay to ask gently for a clarification as I am stumped now. I did also test from another e-mail address which has a very simple SPF record: Code: domain.ext. 300 IN TXT "v=spf1 mx a a:domain.ext ?all" ... and that just works like a charm. Code: Return-Path: <[email protected]> Delivered-To: [email protected] Received: (qmail 5007 invoked by alias); 20 Oct 2020 21:01:21 -0000 Delivered-To: [email protected] Received: (qmail 5004 invoked by uid 453); 20 Oct 2020 21:01:21 -0000 X-Spam-Status: No, score=0.0 required=5.0 autolearn=disabled X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on mail.lan.okepc.nl X-Spam-Details: * -0.0 SPF_PASS SPF: sender matches SPF record * 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record * 0.0 HTML_MESSAGE BODY: HTML included in message X-Spam-Level: X-HELO: cluster02-d.mx-relay.com Authentication-Results: lan.okepc.nl; auth=none; spf=pass smtp.mailfrom=ict-diensten.com; dkim=none; dmarc=pass (p=reject) d=ict-diensten.com Received: from cluster02.mx-relay.com (HELO cluster02-d.mx-relay.com) (5.39.185.34) by lan.okepc.nl (qpsmtpd/0.96) with ESMTPS (ECDHE-RSA-AES256-GCM-SHA384 encrypted); Tue, 20 Oct 2020 23:01:16 +0200 Received-SPF: pass (ict-diensten.com: Sender is authorized to use '[email protected]' in 'mfrom' identity (mechanism 'include:_spf.s1.gigabitjes.nl' matched)) receiver=mail.lan.okepc.nl; identity=mailfrom; envelope-from="[email protected]"; helo=cluster02-d.mx-relay.com; client-ip=5.39.185.34 X-ASG-Debug-ID: 1603227668-0a3ad0777a362720001-9MViKJ Received: from s1.gigabitjes.nl (s1.gigabitjes.nl [136.144.206.44]) by cluster02-d.mx-relay.com with ESMTP id EiFtMUqnx6ktRjoX (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for <[email protected]>; Tue, 20 Oct 2020 23:01:09 +0200 (CEST) X-Barracuda-Envelope-From: [email protected] X-Barracuda-Effective-Source-IP: s1.gigabitjes.nl[136.144.206.44] X-Barracuda-Apparent-Source-IP: 136.144.206.44 Received: from s1.gigabitjes.nl (localhost [IPv6:::1]) by s1.gigabitjes.nl (Postfix) with ESMTP id B6A781A3368 for <[email protected]>; Tue, 20 Oct 2020 23:01:04 +0200 (CEST) MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_98e728012e026793f961be23ad78f986" Date: Tue, 20 Oct 2020 23:01:04 +0200 From: "Bouke J. Henstra | ICT Diensten" <[email protected]> To: [email protected] Subject: [SPAM? SPF FAIL?] Test Organization: Henstra ICT Diensten X-ASG-Orig-Subj: Test Message-ID: <[email protected]> X-Sender: [email protected] User-Agent: Roundcube Webmail/1.3.15 X-Barracuda-Connect: s1.gigabitjes.nl[136.144.206.44] X-Barracuda-Start-Time: 1603227668 X-Barracuda-Encrypted: TLS_AES_256_GCM_SHA384 X-Barracuda-URL: https://cluster02.mx-relay.com:443/cgi-mod/mark.cgi X-Virus-Scanned: by bsmtpd at mx-relay.com X-Barracuda-Scan-Msg-Size: 707 X-Barracuda-BRTS-Status: 1 X-Barracuda-Spam-Score: 5.00 X-Barracuda-Spam-Status: Yes, SCORE=5.00 using global scores of TAG_LEVEL=5.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=7.0 tests=HTML_MESSAGE, URLBL_FROM_BC X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.85414 Rule breakdown below pts rule name description ---- ---------------------- -------------------------------------------------- 5.00 URLBL_FROM_BC URLBL_FROM_BC [URL: ict-diensten.com] 0.00 HTML_MESSAGE BODY: HTML included in message X-Barracuda-Spam-Flag: YES
I would get in touch with them indeed, and remember it can take some time before DNS is propagated, so maybe when you wake up tomorrow everything is fine
The problem is no longer the SPF, but now you are listed on the Barracuda blacklist. It might be, that your own spam detection did that. Because you tried to send mails for a domain you where not allowed to before (due to your SPF record). https://www.barracudacentral.org/lookups/lookup-reputation You can fill out an removal request here: https://www.barracudacentral.org/rbl/removal-request
