Knowledgebase:
SPF DKIM failure for mails relayed via Linux Outbound servers
Posted by Varsha Girijan on 05 July 2019 09:57:18 PM

Recently, we came across connects were emails sent via "linux-outbound" server getting rejected at "hdfcbank.com" or "hotmail" due to SPF and DKIM failure.

We usually add SPF as +a:linux-outbound-1.webhostbox.net. This means to allow emails from A records of the domain linux-outbound-1.webhostbox.net. But recently we noticed issues where all the IP addresses of routing server were not added as an A record of the outbound server and hence SPF checks failed. In such cases, we manually tried to include the TXT record, or IP addresses of the relaying server.

Though SPF syntax was correct it was getting perm error while validating (as shown below)

FAILED=====================================================

v=spf1 record for shivautowings.com: 
v=spf1 +mx +a +include:linux-outbound-1.webhostbox.net +ip4:162.251.80.23 +ip4:207.174.214.12 ~all

evaluating...
Results - PermError SPF Permanent Error: No valid SPF record for included domain: linux-outbound-1.webhostbox.net: +include:linux-outbound-1.webhostbox.net
=======================================================

This is because linux-outbound-1.webhostbox.net was added in "include" section of SPF. Which by-default checks for TXT record under txt(spf) record and here in our case we have added IP's as A record instead of TXT for linux-outbound-1.webhostbox.net.

You can check by modifying something like this and it should work.

v=spf1 a mx a:linux-outbound.webhostbox.net a:linux-outbound-1.webhostbox.net ~all


IP addresses which are missing in linux-outbound-1.webhostbox.net are present in linux-outbound.webhostbox.net. So the above record should work perfectly for SPF checks.

We do not need to add the shared server IP address separately in the TXT record as it is already included in SPF when we add :mx to it. So you can use final record as below which will include both hostnames(linux-outbound-1.webhostbox.net and linux-outbound.webhostbox.net):

--
v=spf1 a mx a:linux-outbound.webhostbox.net a:linux-outbound-1.webhostbox.net ~all
--

DKIM records can be updated via cpanel itself for the domain.

(1 vote(s))
Helpful
Not helpful

Comments (0)