Like Odhiambo, I see "v=spf1 -all" and nothing else. I see you're using Linode for public DNS, and going through all 5 of their servers directly they're all replying with the record Stephen saw. If I had to guess we're seeing a transient from Linode when you were updating the record at some point that has now gotten cached somewhere unfortunate (like Google...) and has a TTL you now wish were shorter.
As for the record itself, I fully agree with Stephen with his recommendation. Get the extra stuff out and that '=' is currently breaking the IP clause, and the IP clause is what you need most.
-Joel
On 5/20/2023 10:36 AM, Stephen Turnbull wrote:
Christian writes:
> 550-5.7.26 The MAIL FROM domain [lists.ccalternatives.org] has an SPF record
This says it's parsing your mail session and using the MAIL FROM.
> 550-5.7.26 with a hard fail policy (-all) but it fails to pass SPF checks with > 550-5.7.26 the ip: [192.46.218.224].
At least Google is seeing the mail arrive from the expected IP address.
To best protect our users from spam and > 550-5.7.26 phishing, the message has been blocked.
> Could the hard fail policy be implicated in the gmail rejection?
It certainly could. However I would expect the DSN to say "because of the hard fail specification we are rejecting your email" in that case. This looks like a Gmail policy to me.
> Other than readdressing my server, is there anything else I can do?
I don't think readdressing is going to help unless you're referring to the PTR issue mentioned below.
I see the same SPF record you have described before: lists.ccalternatives.org descriptive text "v=spf1 a mx ip4=192.46.218.224 -all" so I'm not sure what is going on with Odhiambo's lookup. However, there is an error (the '=' after ipv4 should be ':'), and it has some other problems:
- the 'mx' mechanism is a no-op because lists.ccalternatives.org has no MX record.
- the PTR for 192.46.218.224 points to mail.ccalternatives.org, not to lists.ccalternatives.org. Neither should cause an SPF check to fail but they make the check more expensive.
I would simplify your TXT record to "v=spf1 ip4:192.46.218.224 -all" because the 'a' mechanism isn't working and the 'mx' mechanism is a no-op. That's really all you need.
Steve
Mailman-users mailing list -- mailman-users@mailman3.org To unsubscribe send an email to mailman-users-leave@mailman3.org https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/ Archived at: https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/message/...
This message sent to jpl@ilk.org
-- Joel Lord