zone /IN: found SPF/TXT record but no SPF/SPF record found, add matching type SPF record

Discussion in 'Installation/Configuration' started by commentator, Aug 17, 2015.

  1. commentator

    commentator Member

    Hello,

    Testing a new server with this setup https://www.howtoforge.com/tutorial/perfect-server-debian-8-jessie-apache-bind-dovecot-ispconfig-3/
    Seems to be working ok, except this. When restarting bind is see in the log:
    Code:
    zone mydomain.example/IN: 'mydomain.example' found SPF/TXT record but no SPF/SPF record found, add matching type SPF record
    zone other.domain/IN: 'other.domain' found SPF/TXT record but no SPF/SPF record found, add matching type SPF record
    
    pri.mydomain.example:
    Code:
    $TTL        300
    @       IN      SOA     ns1.mydomain.example. postmaster.mydomain.example. (
                            2015081509       ; serial, todays date + todays serial #
                            7200              ; refresh, seconds
                            540              ; retry, seconds
                            604800              ; expire, seconds
                            300 )            ; minimum, seconds
    ;
    
    
    mail 3600 A        xxx.xxx.xxx.xxx
    mydomain.example. 3600 A        xxx.xxx.xxx.xxx
    ns1 300 A        xxx.xxx.xxx.xxx
    server1 300 A        xxx.xxx.xxx.xxx
    webmail 300 A        xxx.xxx.xxx.xxx
    www 3600 A        xxx.xxx.xxx.xxx
    pop3 3600      CNAME        server1.mydomain.example
    mydomain.example. 3600      MX    10   mail.mydomain.example.
    mydomain.example. 3600      NS        ns1.mydomain.example.
    mydomain.example. 3600      NS        ns1.myprovider.example.
    mydomain.example 300      TXT        "v=spf1 +a +mx ~all ptr"
    
    pri.other.domain:
    Code:
    $TTL        3600
    @       IN      SOA     ns1.mydomain.example. postmaster.other.domain. (
                            2015081701       ; serial, todays date + todays serial #
                            7200              ; refresh, seconds
                            540              ; retry, seconds
                            604800              ; expire, seconds
                            86400 )            ; minimum, seconds
    ;
    
    mail 3600 A        xxx.xxx.xxx.xxx
    other.domain. 3600 A        xxx.xxx.xxx.xxx
    webmail 3600 A        xxx.xxx.xxx.xxx
    www 3600 A        xxx.xxx.xxx.xxx
    other.domain. 3600      MX    10   mail.other.domain.
    other.domain. 3600      NS        ns1.mydomain.example.
    other.domain. 3600      NS        ns1.myprovider.example.
    other.domain. 1800      TXT        "v=spf1 +a +mx ~all"
    
    What's wrong? And how to solve it?
     
  2. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    Use "v=spf1 a mx ~all" instead of "v=spf1 +a +mx ~all"
     
  3. commentator

    commentator Member

    hello, thanks for reply. Tried that but still the same message in the log
     
  4. florian030

    florian030 ISPConfig Developer ISPConfig Developer

  5. commentator

    commentator Member

    ok, thanks.
    The file /etc/systemd/system/named.service doesn't exist in Debian Jessie.

    Btw looks like the spf doesn't work @ all:
    Authentication-Results: hotmail.com; spf=none (sender IP is xxx.xxx.xxx.xxx) smtp.mailfrom=[email protected]; dkim=none header.d=mydomain.example; x-hmca=none header.id=[email protected]
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    babydunk likes this.
  7. till

    till Super Moderator Staff Member ISPConfig Developer

  8. commentator

    commentator Member

    update for mydomain.example it's
    Code:
    The TXT records found for your domain are:
    
    Checking to see if there is a valid SPF record.
    
    No valid SPF record found of either type TXT or type SPF.
    
    for the other domain:
    Code:
    
    evaluating...
    SPF record passed validation test with pySPF (Python SPF library)!
    
    is it possible "ptr" isn't accepted

    Maybe thats it
     
    Last edited: Aug 18, 2015
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Try this spf for mydomain.example.

    v=spf1 +a +mx +ptr ~all
     
  10. commentator

    commentator Member

    Thanks for reply. I'm a bit confused now:
    so with or without + ?
     
  11. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    This makes no difference and is not related to your problem in #1

    If you use "mydomain.example 300 TXT "v=spf1 +a +mx ~all ptr"" maybe adding "mydomain.example 300 SPF "v=spf1 +a +mx ~all ptr" solves your problem
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    @florian: Not quite sure if the order matters so that ~all has to be at the end?
     
  13. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    The mechanism are evaluated in order. You can use +mx but this makes no sence if you use ~all for the rest.
    I suggest to keep spf-records simple. Just use mx (and maybe a), never use ptr (see rfc7208), prevent includes and set your mechanism at the end.
    I would not use "v=spf1 +a +mx -all". Keep it simple and use "v=spf1 a mx -all" (+ is the default).
     
    agentmoller001 and till like this.
  14. commentator

    commentator Member

    Ok, thanks for the explanation.
    What would be the best spf for this situation: (server1.mydomain.example is the mail server)
    I have [email protected] and also [email protected] & [email protected]
    [email protected] is a mailbox and is also forwarded to a hotmailadres
    [email protected] is a mailbox and is also forwarded to a gmailadres

    I have also an email [email protected] and this is just a forward to [email protected]
    And i have also [email protected] and this is just a forward to [email protected]

    Special spf needed or just "v=spf1 a mx ~all" ?
     
    Last edited: Aug 22, 2015
  15. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    The spf-record depends on your server / ips.
    If you have only one IP and have a MX-Record for this IP: v=spf1 mx ~all
    If you use additional MX-Server to send Mail, add them: v=spf1 mx mx:2nd.example,com ~all
    If you send mails from IPs that have no MX record but an A-record: v=spf1 mx a ~all or v=spf1 mx a:1.2.3.4 ~all
     
  16. r04k1ll

    r04k1ll New Member

    This seems to work.
    Code:
    @            IN    TXT            "v=spf1 mx  -all"
    @            IN    SPF            "v=spf1 mx -all"
    host        IN    TXT            "v=spf1 a:host.domain.tld -all"
    host        IN    SPF            "v=spf1 a:host.domain.tld -all"
     
  17. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    SPF-Records depricated in 2014. You need the TXT-Records only. RFC 7208.
     
  18. r04k1ll

    r04k1ll New Member

    Am aware the SPF RR is deprecated still bind stops logging any problems when added to the zone file.
     
  19. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Are you running an outdated version of bind? I sure don't see any complaints with bind9 :9.9.5.dfsg-9+deb8 (maybe my logging options kill that though?).
     
  20. Jonathan Marsden

    Jonathan Marsden New Member

    I am seeing this unwanted behaviour using BIND 9.9.5-9+deb8u10-Debian under Debian Jessie 8.7.
    You can also see the "error" messages by doing

    named-checkzone example.com /etc/bind/pri.example.com

    where example.com is the domain being tested.
     

Share This Page