[PLUG] postfix spf rejection

wes plug at the-wes.com
Sun Jul 24 18:51:39 UTC 2016


On Sun, Jul 24, 2016 at 9:52 AM, Michael Rasmussen <michael at jamhome.us>
wrote:

> Investigating an instance of SPF rejection by postfix.
>
> The postfix SPF module receiving mail for @michaelsnet.us is rejecting
> email from @michaelrpdx.com
>
> Relevant log message:
> Jul 24 09:36:58 rumpus postfix/smtpd[3844]: NOQUEUE: reject: RCPT from
> cave.michaelrpdx.com[167.88.112.146]: 550 5.7.1 <michael at michaelsnet.us>:
> Recipient address rejected: Message
> rejected due to: SPF fail - not authorized. Please see
> http://www.openspf.net/Why?s=mfrom;id=michael@michaelrpdx.com;ip=167.88.112.146;r=michael@michaelsnet.us
> ;
> from=<michael at michaelrpdx.com> to=<michael at michaelsnet.us> proto=ESMTP
> helo=<cave.michaelrpdx.com>
> Jul 24 09:36:59 rumpus postfix/smtpd[3844]: disconnect from
> cave.michaelrpdx.com[167.88.112.146]
>
>
[blah blah blah...]


> In short, postfix's SPF checker is the only entity that associates
> 167.88.112.146 with cave.michaelsnet.us
>
> Having beat my head against the wall attempting to resolve this I'm pretty
> sure I'm missing something simple.
>
> What is, or may be, causing this?
>
>
I don't have a solid answer for you, but I can add that I've seen a few
similar failures elsewhere recently. Your actual SPF record is as follows:

$ host -t txt michaelrpdx.com
michaelrpdx.com         TXT     "v=spf1 mx a"

Which instructs postfix to look up the mx record for michaelrpdx.com and
automatically authorize that host to send emails for that domain. This
relies on the second DNS lookup (the first being for the SPF record) to
succeed, which may not always be the case. I would advise adding the IP
address of the server to your SPF record. This has worked well for me in
the past in similar situations.

Hopefully someone else has better ideas. I'll be looking for them also.

-wes



More information about the PLUG mailing list