On 2023-01-04 12:40, Mark Sapiro wrote:
On 1/4/23 11:39, Jan Eden via Mailman-users wrote:
Hi,
my question is not related to Mailman directly, apologies for using this list. I configured the DNS records for my base domain and my lists subdomain identically (the DMARC policy records are also identical, but not listed here):
MX @ mail.eden.one TXT @ "v=spf1 mx ~all" MX lists mail.eden.one TXT lists "v=spf1 mx ~all"
A mail 123.123.123.123
But both Yahoo and Google report different SPF results for the two domains: What could possibly cause this difference? The SPF test also fails for a [...] different base domain with the same MX and SPF records.
Your spf for lists.mail.eden.one specifies its MX which is also lists.mail.eden.one, however mail from that domain arrives from IP 123.123.123.123 and presumably an rDNS lookup returns mail.eden.one which is not lists.mail.eden.one, thus the failure.
Add the IP 123.123.123.123 to the spf and drop the MX since it doesn't work
TXT lists "v=spf1 123.123.123.123 ~all"
This would explain a lot, but it also invalidates everything I thought to have understood about DNS records. Maybe the abbreviated records above (quoted from my provider's web interface) were misleading, so here's the output of dig:
eden.one. 60 IN MX 10 mail.eden.one. eden.one. 60 IN TXT "v=spf1 mx ~all" lists.eden.one. 60 IN MX 10 mail.eden.one. lists.eden.one. 60 IN TXT "v=spf1 mx ~all"
mail.eden.one. 60 IN A 123.123.123.123
So an MX lookup for both eden.one and lists.eden.one returns the hostname mail.eden.one, which points to the address 123.123.123.123.
The SPF records for eden.one and lists.eden.one refer to the respective MX records (with the same target hostname). According to RFC 7208[1], the mx mechanism
"matches if <ip> is one of the MX hosts for a domain. [...]
check_host() first performs an MX lookup on the <target-name>. Then it performs an address lookup on each MX name returned. The <ip> is compared to each returned IP address. [...] If any address matches, the mechanism matches."
So in both cases, the MX mechanism should first retrieve mail.eden.one, and then 123.123.123.123 via DNS queries, and should match accordingly when the message was sent from mail.eden.one/123.123.123.123.
Although I could specify the IP address in my SPF records directly (as you suggested), I do hope that my understanding of DNS records laid out above is not entirely misguided. My current setup does work as expected for eden.one, after all.
- Jan