SPF check fails for lists subdomain
Hi,
my question is not related to Mailman directly, apologies for using this list. I configured the DNS records for my base domain and my lists subdomain identically (the DMARC policy records are also identical, but not listed here):
MX @ mail.eden.one TXT @ "v=spf1 mx ~all" MX lists mail.eden.one TXT lists "v=spf1 mx ~all"
A mail 123.123.123.123
But both Yahoo and Google report different SPF results for the two domains:
<policy_published> <domain>eden.one</domain> <adkim>s</adkim> <aspf>s</aspf> <p>quarantine</p> <pct>75</pct> </policy_published> <record> <row> <source_ip>123.123.123.123</source_ip> <count>3</count> <policy_evaluated> <disposition>none</disposition> <dkim>pass</dkim> <spf>pass</spf> </policy_evaluated> </row>
<policy_published> <domain>lists.eden.one</domain> <adkim>s</adkim> <aspf>s</aspf> <p>quarantine</p> <pct>75</pct> </policy_published> <record> <row> <source_ip>123.123.123.123</source_ip> <count>2</count> <policy_evaluated> <disposition>none</disposition> <dkim>pass</dkim> <spf>fail</spf> </policy_evaluated> </row>
What could possibly cause this difference? The SPF test also fails for a different base domain with the same MX and SPF records.
- Jan
On 1/4/23 11:39, Jan Eden via Mailman-users wrote:
Hi,
my question is not related to Mailman directly, apologies for using this list. I configured the DNS records for my base domain and my lists subdomain identically (the DMARC policy records are also identical, but not listed here):
MX @ mail.eden.one TXT @ "v=spf1 mx ~all" MX lists mail.eden.one TXT lists "v=spf1 mx ~all"
A mail 123.123.123.123
But both Yahoo and Google report different SPF results for the two domains:
<policy_published> <domain>eden.one</domain> <adkim>s</adkim> <aspf>s</aspf> <p>quarantine</p> <pct>75</pct> </policy_published> <record> <row> <source_ip>123.123.123.123</source_ip> <count>3</count> <policy_evaluated> <disposition>none</disposition> <dkim>pass</dkim> <spf>pass</spf> </policy_evaluated> </row>
<policy_published> <domain>lists.eden.one</domain> <adkim>s</adkim> <aspf>s</aspf> <p>quarantine</p> <pct>75</pct> </policy_published> <record> <row> <source_ip>123.123.123.123</source_ip> <count>2</count> <policy_evaluated> <disposition>none</disposition> <dkim>pass</dkim> <spf>fail</spf> </policy_evaluated> </row>
What could possibly cause this difference? The SPF test also fails for a different base domain with the same MX and SPF records.
Your spf for lists.mail.eden.one specifies its MX which is also lists.mail.eden.one, however mail from that domain arrives from IP 123.123.123.123 and presumably an rDNS lookup returns mail.eden.one which is not lists.mail.eden.one, thus the failure.
Add the IP 123.123.123.123 to the spf and drop the MX since it doesn't work
TXT lists "v=spf1 123.123.123.123 ~all"
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
I wrote:
Your spf for lists.mail.eden.one specifies its MX which is also lists.mail.eden.one, however mail from that domain arrives from IP 123.123.123.123 and presumably an rDNS lookup returns mail.eden.one which is not lists.mail.eden.one, thus the failure.
Actually, I realize that I was misreading your DNS entries and your MX for both domains is in fact mail.eden.one. I am as puzzled as you about the failure.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 2023-01-04 12:40, Mark Sapiro wrote:
On 1/4/23 11:39, Jan Eden via Mailman-users wrote:
Hi,
my question is not related to Mailman directly, apologies for using this list. I configured the DNS records for my base domain and my lists subdomain identically (the DMARC policy records are also identical, but not listed here):
MX @ mail.eden.one TXT @ "v=spf1 mx ~all" MX lists mail.eden.one TXT lists "v=spf1 mx ~all"
A mail 123.123.123.123
But both Yahoo and Google report different SPF results for the two domains: What could possibly cause this difference? The SPF test also fails for a [...] different base domain with the same MX and SPF records.
Your spf for lists.mail.eden.one specifies its MX which is also lists.mail.eden.one, however mail from that domain arrives from IP 123.123.123.123 and presumably an rDNS lookup returns mail.eden.one which is not lists.mail.eden.one, thus the failure.
Add the IP 123.123.123.123 to the spf and drop the MX since it doesn't work
TXT lists "v=spf1 123.123.123.123 ~all"
This would explain a lot, but it also invalidates everything I thought to have understood about DNS records. Maybe the abbreviated records above (quoted from my provider's web interface) were misleading, so here's the output of dig:
eden.one. 60 IN MX 10 mail.eden.one. eden.one. 60 IN TXT "v=spf1 mx ~all" lists.eden.one. 60 IN MX 10 mail.eden.one. lists.eden.one. 60 IN TXT "v=spf1 mx ~all"
mail.eden.one. 60 IN A 123.123.123.123
So an MX lookup for both eden.one and lists.eden.one returns the hostname mail.eden.one, which points to the address 123.123.123.123.
The SPF records for eden.one and lists.eden.one refer to the respective MX records (with the same target hostname). According to RFC 7208[1], the mx mechanism
"matches if <ip> is one of the MX hosts for a domain. [...]
check_host() first performs an MX lookup on the <target-name>. Then it performs an address lookup on each MX name returned. The <ip> is compared to each returned IP address. [...] If any address matches, the mechanism matches."
So in both cases, the MX mechanism should first retrieve mail.eden.one, and then 123.123.123.123 via DNS queries, and should match accordingly when the message was sent from mail.eden.one/123.123.123.123.
Although I could specify the IP address in my SPF records directly (as you suggested), I do hope that my understanding of DNS records laid out above is not entirely misguided. My current setup does work as expected for eden.one, after all.
- Jan
On 1/4/23 14:02, Jan Eden via Mailman-users wrote:
Although I could specify the IP address in my SPF records directly (as you suggested), I do hope that my understanding of DNS records laid out above is not entirely misguided. My current setup does work as expected for eden.one, after all.
As I said at <https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/message/...> I was misreading your DNS and now I am as puzzled as you about the failure.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On 2023-01-04 15:07, Mark Sapiro wrote:
On 1/4/23 14:02, Jan Eden via Mailman-users wrote:
Although I could specify the IP address in my SPF records directly (as you suggested), I do hope that my understanding of DNS records laid out above is not entirely misguided. My current setup does work as expected for eden.one, after all.
As I said at <https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/message/...> I was misreading your DNS and now I am as puzzled as you about the failure.
It gets even more mysterious. I tried sending messages from both lists.eden.one and janeden.net (my other domain) to a gmail account and to another mail provider. Both messages passed the SPF checks on both services (s. the relevant headers quoted below). Now because I send those messages via my SMTP user (smtpuser@eden.one) and use SRS, the SPF check operates (and succeeds) on e.g. srs0=jdm+=5c=lists.eden.one=testlist-bounces+gmailuser=googlemail.com@eden.one (and not on somethingsomething@lists.eden.one or somethingsomething@janeden.net). Could this be the reason for the failed SPF checks in Yahoo's and Google's DMARC reports?
- Jan
============================== Authentication-Results: posteo.de; dmarc=pass (p=quarantine dis=none) header.from=lists.eden.one Authentication-Results: posteo.de; spf=pass smtp.mailfrom=eden.one Authentication-Results: posteo.de; dkim=pass (2048-bit key) header.d=lists.eden.one header.i=@lists.eden.one header.b=8FtNB1m3; dkim-atps=neutral
Delivered-To: gmailuser@gmail.com Received: by 2002:a05:7022:4584:b0:4b:2a9c:6c6f with SMTP id cf4csp83532dlb; Wed, 4 Jan 2023 23:29:12 -0800 (PST) ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.eden.one header.s=s42 header.b=lrjRRPic; spf=pass (google.com: domain of srs0=jdm+=5c=lists.eden.one=testlist-bounces+gmailuser=googlemail.com@eden.one designates 123.123.123.123 as permitted sender) smtp.mailfrom="SRS0=JDm+=5C=lists.eden.one=testlist-bounces+gmailuser=googlemail.com@eden.one"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=lists.eden.one Received-SPF: pass (google.com: domain of srs0=jdm+=5c=lists.eden.one=testlist-bounces+gmailuser=googlemail.com@eden.one designates 123.123.123.123 as permitted sender) client-ip=123.123.123.123; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.eden.one header.s=s42 header.b=lrjRRPic; spf=pass (google.com: domain of srs0=jdm+=5c=lists.eden.one=testlist-bounces+gmailuser=googlemail.com@eden.one designates 123.123.123.123 as permitted sender) smtp.mailfrom="SRS0=JDm+=5C=lists.eden.one=testlist-bounces+gmailuser=googlemail.com@eden.one"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=lists.eden.one DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lists.eden.one; s=s42; t=1672903751; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:list-id:list-help:list-owner: list-unsubscribe:list-subscribe:list-post; bh=q4JtVWzFRbBZ12C26k1xKRRVOBGue+2uV43xiHohi3M=; b=lrjRRPicpiyGUP11wjj76yIg8qHib1aUAS99+RNhSwYE9HzXctedXbdMXeY7WJyUc1gE2Z PFkDPZD6YMGIAY9N35fzgzoMgrgNAWkTLqDF7i5d0kEXEhEuQ+hLbRHKMcsD8XDVff41iY vLnygg85AKj5L4dvq/p5o4TEjmfaXHadRJ6ZI6qY67Yys1D+LqZzbfIQyvgUH+U986d0Ed SO3POUWJLcYNwwQk0UzTc4iIenM7042alew/wXoncDc1lnMQrAYHY/lPwGHFyqqyPebkLZ bE3nM4g8pM9ODXBbn0Vs7602SzCFkHs2l1QScFtV9+pZbPaKgYL5TW6Q8BT0MA== Received: from client.eden.one (unknown [195.37.242.24]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) Date: Thu, 5 Jan 2023 08:29:05 +0100 To: testlist@lists.eden.one Subject: [Testlist] Test (Listenmail) From: Jan Eden via Testlist <testlist@lists.eden.one> Reply-To: Jan Eden <mailuser@eden.one>
============================== Authentication-Results: posteo.de; dmarc=pass (p=quarantine dis=none) header.from=janeden.net Authentication-Results: posteo.de; spf=pass smtp.mailfrom=eden.one Authentication-Results: posteo.de; dkim=pass (2048-bit key) header.d=janeden.net header.i=@janeden.net header.b=VV5k+gN7; dkim-atps=neutral
Delivered-To: gmailuser@gmail.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@janeden.net header.s=s42 header.b=B8NPELsC; spf=pass (google.com: domain of srs0=xtlx=5c=janeden.net=mailuser@eden.one designates 123.123.123.123 as permitted sender) smtp.mailfrom="SRS0=Xtlx=5C=janeden.net=mailuser@eden.one"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=janeden.net Received-SPF: pass (google.com: domain of srs0=xtlx=5c=janeden.net=mailuser@eden.one designates 123.123.123.123 as permitted sender) client-ip=123.123.123.123; Authentication-Results: mx.google.com; dkim=pass header.i=@janeden.net header.s=s42 header.b=B8NPELsC; spf=pass (google.com: domain of srs0=xtlx=5c=janeden.net=mailuser@eden.one designates 123.123.123.123 as permitted sender) smtp.mailfrom="SRS0=Xtlx=5C=janeden.net=mailuser@eden.one"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=janeden.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=janeden.net; s=s42; t=1672903599; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=wE7NXSkgnx9PGiavN4OZhJztvkqPDlemV3OGuEnLwNo=; b=B8NPELsC7r7WI62YOpEFUhESxumSjhP/aQNOlWRmusnTHgbHgjEHeCKNRhEDUeh+fRRVZw JnRVZx9WAU58/3UXx0XJIN6ivLYJnOtJ9vw3r1nVAzU6wk7RCE1Zx6zTJLybwHNijHcCn4 A2cRJZc1IUfJTAok3RHclBB8c10difp5SNPKVGRtNEPAOEFnG5vaNecPvQWc0+4EyHNCYX WSEARKApxpL31gBcojCEHjtdAFgmcknReosUN9I3PUiQQIxqFQ6uU9hA6XWyg6qCsEAll7 E1sGL9HopGIHQA2pHXPanQ9FZxOFou8BcjwN4w65Vygr78hAO5e2Ru6tDFwr4g== Date: Thu, 5 Jan 2023 08:26:37 +0100 From: Jan Eden <mailuser@janeden.net> To: gmailuser@googlemail.com Subject: Test
On Thu, Jan 5, 2023 at 10:56 AM Jan Eden via Mailman-users < mailman-users@mailman3.org> wrote:
On 2023-01-04 15:07, Mark Sapiro wrote:
On 1/4/23 14:02, Jan Eden via Mailman-users wrote:
Although I could specify the IP address in my SPF records directly (as you suggested), I do hope that my understanding of DNS records laid out above is not entirely misguided. My current setup does work as expected for eden.one, after all.
As I said at < https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/message/...
I was misreading your DNS and now I am as puzzled as you about the failure.
It gets even more mysterious. I tried sending messages from both lists.eden.one and janeden.net (my other domain) to a gmail account and to another mail provider. Both messages passed the SPF checks on both services (s. the relevant headers quoted below). Now because I send those messages via my SMTP user (smtpuser@eden.one) and use SRS, the SPF check operates (and succeeds) on e.g.
srs0=jdm+=5c=lists.eden.one=testlist-bounces+gmailuser=googlemail.com@eden.one (and not on somethingsomething@lists.eden.one or somethingsomething@janeden.net). Could this be the reason for the failed SPF checks in Yahoo's and Google's DMARC reports?
- Jan
Might you be willing to use proven tools instead of trying so hard to understand the myth?
I use https://easydmarc.com/tools#spf-tools It allows me to generate, lookup, test SPF, DKIM, DMARC, etc.
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-)
On 2023-01-05 11:13, Odhiambo Washington wrote:
On Thu, Jan 5, 2023 at 10:56 AM Jan Eden via Mailman-users < mailman-users@mailman3.org> wrote:
On 2023-01-04 15:07, Mark Sapiro wrote:
On 1/4/23 14:02, Jan Eden via Mailman-users wrote:
Although I could specify the IP address in my SPF records directly (as you suggested), I do hope that my understanding of DNS records laid out above is not entirely misguided. My current setup does work as expected for eden.one, after all.
As I said at < https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/message/...
I was misreading your DNS and now I am as puzzled as you about the failure.
It gets even more mysterious. I tried sending messages from both lists.eden.one and janeden.net (my other domain) to a gmail account and to another mail provider. Both messages passed the SPF checks on both services (s. the relevant headers quoted below). Now because I send those messages via my SMTP user (smtpuser@eden.one) and use SRS, the SPF check operates (and succeeds) on e.g.
srs0=jdm+=5c=lists.eden.one=testlist-bounces+gmailuser=googlemail.com@eden.one (and not on somethingsomething@lists.eden.one or somethingsomething@janeden.net). Could this be the reason for the failed SPF checks in Yahoo's and Google's DMARC reports?
- Jan
Might you be willing to use proven tools instead of trying so hard to understand the myth?
I use https://easydmarc.com/tools#spf-tools It allows me to generate, lookup, test SPF, DKIM, DMARC, etc.
I did use adequate tools to generate and test my DNS records, and this is why the DMARC reports quoted in my initial message are mysterious to me. Trying hard to solve a mystery might not be productive in every case, but I do not want to stop being curious.
- Jan
On 2023-01-05 08:55, Jan Eden via Mailman-users wrote:
On 2023-01-04 15:07, Mark Sapiro wrote:
On 1/4/23 14:02, Jan Eden via Mailman-users wrote:
Although I could specify the IP address in my SPF records directly (as you suggested), I do hope that my understanding of DNS records laid out above is not entirely misguided. My current setup does work as expected for eden.one, after all.
As I said at <https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/message/...> I was misreading your DNS and now I am as puzzled as you about the failure.
It gets even more mysterious. I tried sending messages from both lists.eden.one and janeden.net (my other domain) to a gmail account and to another mail provider. Both messages passed the SPF checks on both services (s. the relevant headers quoted below). Now because I send those messages via my SMTP user (smtpuser@eden.one) and use SRS, the SPF check operates (and succeeds) on e.g. srs0=jdm+=5c=lists.eden.one=testlist-bounces+gmailuser=googlemail.com@eden.one (and not on somethingsomething@lists.eden.one or somethingsomething@janeden.net). Could this be the reason for the failed SPF checks in Yahoo's and Google's DMARC reports?
There was never a mystery, just my complete ignorance wrt DMARC and alignment[1]. Changing the DMARC DNS entry for lists.eden.one (more specifically, the aspf tag) solved the issue:
<policy_published> <domain>lists.eden.one</domain> <adkim>s</adkim> <aspf>r</aspf> <p>quarantine</p> <sp>quarantine</sp> <pct>75</pct> </policy_published> <record> <row> <source_ip>123.123.123.123</source_ip> <count>1</count> <policy_evaluated> <disposition>none</disposition> <dkim>pass</dkim> <spf>pass</spf> </policy_evaluated> </row>
For other domains, I would need to turn off SRS, which is not possible for independent reasons.
- Jan
participants (3)
-
Jan Eden
-
Mark Sapiro
-
Odhiambo Washington