What's new
Pinball info

Register a free account today to become a member! Once signed in, you'll be able to participate on this site by adding your own topics and posts, as well as connect with other members through your own private inbox!

SPF Record Help Please

Crewey

Site Supporter
Joined
Dec 19, 2021
Messages
1,323
Location
CH4
If anyone has experience amending SPF records please can you give me a shout.
My wife has been unable to send email to Gmail clients for a while now, and the provider IONOS doesn't have the correct answer.

Their official support entry page advises;
v=spf1 include:_spf-us.ionos.com ~all

When their support replied to my ticket they advised I change it to;
v=spf1 include:_spf.perfora.net include:_spf-eu.ionos.com include:_spf.kundenserver.de ~all

Neither solution has worked; the DNS is managed via Wix so all changes are made via their settings which complicates the matter.

Thanks
 
Not done a massive amount with SPF records but have you tried using Googles DNS tester to confirm that its showing the correct/updated SPF records for your domain.

Also whats the error you are getting back from gmail email addresses to say that it wont send/been blocked?

Also assuming this is your own domain, what are you using to send emails and via who's smtp servers (IONOS)?
 
Not done a massive amount with SPF records but have you tried using Googles DNS tester to confirm that its showing the correct/updated SPF records for your domain.
Google DNS test shows;
"type": 99 /* SPF */,
"TTL": 3600,
"data": "\"v=spf1 include:_spf.perfora.net include:_spf-eu.ionos.com include:_spf.kundenserver.de ~all\""
}
Also whats the error you are getting back from gmail email addresses to say that it wont send/been blocked?

SMTP error from remote server for TEXT command, host: gmail-smtp-in.l.google.com (..........) reason: 550-5.7.26 This mail is unauthenticated, which poses a security risk to the
550-5.7.26 sender and Gmail users, and has been blocked. The sender must
550-5.7.26 authenticate with at least one of SPF or DKIM. For this message,
550-5.7.26 DKIM checks did not pass and SPF check for ..........

Also assuming this is your own domain, what are you using to send emails and via who's smtp servers (IONOS)?

It is our domain, same issue whether using Apple Mail, iOS mail, or direct on the IONOS webmail browser, yes IONOS mail servers


Thank you
 
DNS reply looks like its returning ~all instead of -all, not sure if that would be the cause of the problem.
 
We've had problems sending to gmail accounts this week:

I think it should be tilde, not minus sign (*). We also had entries for ip4 addresses - we send using BT Business SMTP server so have added "ip4:213.120.69.0/24" too as well as our hosting company's ip4 address:

v=spf1 a mx ip4:<our host IP address> ip4:213.120.69.0/24 include:<our host company domain> ~all

Seems to work OK now.

(*) Just looked this up to check: "The “~all” tag, or the soft fail qualifier, means that the receiving server should accept the email anyway if it’s not in the SPF record but mark it as suspicious. Alternatively, you can also use the “-all” tag or a fail qualifier, which means that messages from servers that aren’t included in your SPF record should be rejected."
 
Thanks guys, when she's home I'll try as above.
 
yes -all not ~all

minus sign not a tilde sign
Left as minus for over 48 hrs and the issue still remains, sadly Alan. @Fantazia2 @MarkS

Ionos have now provided further DMARC config as below ?? but insist on the generic SPF record with tilde:


Please proceed to use the IONOS SPF record that is provided below to authenticate your email account:
Aside from the SPF record, kindly include a DMARC record on your domain name's DNS settings by adding it as a TXT record:
  • Hostname: _dmarc
  • Value: v=DMARC1;p=none;pct=100
  • TTL: 1 hour
 
Tilde vs Dash in a SPF record

~ = Failures to be treated as Softfail (please mark as spam)
- = Failure to be treated as hardfail (please reject message)

Does the provider support DKIM, since they are asking you to enable DMARC I would assume so as DKIM is required as a pre-req.

Beware how the mail is routed - if you're setting up SPF records and then sending via an ISP's relay or something you will be spoofing the messages, likewise if you use a 3rd party mailer (mailchimp etc)
However via the provider's web-mail I would expect to work if the records are correct, as the source will have to be them.

SPF basically says - 'the following relays (be it a name, an IP, an IP block) are allowed to send as this domain if it comes from anywhere else mark or reject please'
DKIM signs the message envelope to ensure it has not been messed with in transit
DMARC uses both the above to inform the recipient's service what to you as as sender would like it do with messages that fail the above and where to send the activity reports.

I don't actually see the domain mentioned anywhere though otherwise I'd cast an eye over your records.
 
Tilde vs Dash in a SPF record

~ = Failures to be treated as Softfail (please mark as spam)
- = Failure to be treated as hardfail (please reject message)

Does the provider support DKIM, since they are asking you to enable DMARC I would assume so as DKIM is required as a pre-req.

Beware how the mail is routed - if you're setting up SPF records and then sending via an ISP's relay or something you will be spoofing the messages, likewise if you use a 3rd party mailer (mailchimp etc)
However via the provider's web-mail I would expect to work if the records are correct, as the source will have to be them.

SPF basically says - 'the following relays (be it a name, an IP, an IP block) are allowed to send as this domain if it comes from anywhere else mark or reject please'
DKIM signs the message envelope to ensure it has not been messed with in transit
DMARC uses both the above to inform the recipient's service what to you as as sender would like it do with messages that fail the above and where to send the activity reports.

I don't actually see the domain mentioned anywhere though otherwise I'd cast an eye over your records.
Thank you for the additional info.
The domain is (removed) which is provided via IONOS (Inc being webmail host) my wife built her site via Wix so the SPF/DMARC data is entered at their DNS portal.
I'm pretty sure I've read that IONOS doesn't support DKIM when reading through many googled articles to try and resolve this.
 
Last edited:
You sure you have your records published correctly, both MXToolbox and Mimecast report no records found.....
I can't see the actual zone entry obviously, but something isn't right.

Looks like IONOS do support DKIM btw, but your issue here is likely an issue with the SPF record in your zone.
Sort that, then setup DKIM, and then setup DMARC.

No issue with the mail provider and Nameservers being separate, the records in the DNS zone are what matter, not who holds the domain or where the nameservers (my world is Exchange and Exchange online and Microsoft are not the registrar for any of the domains I deal with)
As long as the correct records are presented to the world it'll all work just fine.

Edit - if you want to screenshot the console entry you have for the record in the DNS zone I'll take a look at that - it's likely something very simple.
Edit 2: Do you have an old style entry where the SPF record is not being published as a TXT record by any chance?
 

Attachments

  • DMP_SPF_MXTBX.png
    DMP_SPF_MXTBX.png
    25.4 KB · Views: 8
Last edited:
Edit 2: Do you have an old style entry where the SPF record is not being published as a TXT record by any chance?
Sorry to pinpoint one aspect of your helpful post mate, but when I was looking earlier I thought Wix having TXT and SPF entry points I wondered if the SPF record should be going in the TXT zone as SPF is clearly not working at all.

I'll get a screenshot of the Wix setup
 
Yep thats likely the issue - the content is valid but it's an deprecated record type, SPF records are standard TXT entries, not their own special type.

Create a new TXT record with the hostname as @ or dollimorephotography.com and the value as the content of current entry and delete the specific SPF type record.
Right syntax, wrong record type.

Do that, wait 30mins or so and check it at MXToolbox using the SPF check and you should see it go valid.

Then for your DMARC to do useful stuff you'll need to setup DKIM records which will be a pair of CNAME records.
 
Last edited:
Yep thats likely the issue - the content is valid but it's an deprecated record type, SPF records are standard TXT entries, not their own special type.

Create a new TXT record with the hostname as @ or and the value as the content of current entry and delete the specific SPF type record.
Right syntax, wrong record type.

Do that, wait 30mins or so and check it at MXToolbox using the SPF check and you should see it go valid.

Then for your DMARC to do useful stuff you'll need to setup DKIM records which will be a pair of CNAMES records.
Will do start that now, might need some help with the DKIM CNAMES parts please as IONOS support have not mentioned that in their responses to date. Thank you
 
Last edited:
The DKIM CNAME records are generally something the provider will guide you on creating, I can tell you how to do it in Microsoft land, but I've never done it with other vendors.
It is just a pair of records though (DNS is always just records ;) )

Getting the SPF record correct will likely sort your current issue though, but setting up DKIM now will save you falling into a similar hole in the future when it goes from 'a good idea' to a 'must have' which is what has happened with SPF (and it's for good reason!)

Edit: DKIM can be TXT, but I've never done it that route as Microsoft and Mimecast use CNAME
 
And you're now looking good :)
 

Attachments

  • DMP_SPF_MXTBX_Success.png
    DMP_SPF_MXTBX_Success.png
    31.4 KB · Views: 9
And you're now looking good :)
Thank you 😊

When I've looked up how to find your own DKIM info it involves sending an email to yourself, but when I do that it just says DKIM=none.
I'll ask IONOS, thanks again 👍
 
Interesting response;

Regarding your query about DKIM support, I'd like to clarify that while we do support DKIM, it is not currently implemented within our system. However, there is a solution available for you.

You have the option to add your domain to Google Postmaster, which provides a range of useful tools and insights for managing your email deliverability. By utilizing Google Postmaster, you can effectively monitor and analyze the performance of your emails.

 
....So we while we can handle verifying it, we can't actually do the signing is how I'd read it.

I'm assuming they are asking you to route mail outbound via that service or something along those lines - someone has to actually do the signing of the message somewhere for it to work.

Like I say I'm an Exchange guy, not a Google guy and config of DKIM outside of ExchangeOnline I am less familiar with (I know how it works as it's a standard mechanism, but how others implement the signing process I am not familiar with)

I assume your original issue is now solved with the corrected DNS record, so you could leave it there and call it good for now.
Otherwise I might be tempted to migrate to ExchangeOnline ;)
 
@ChrisH thanks again mate much appreciated. Yeah the wife is happy her Gmail clients can now receive emails, so original issue is resolved. Would be nice to future proof for DKIM, hopefully by the time that becomes a necessity IONOS may have sorted theirs out or we'll have migrated to another 👍
 
Back
Top Bottom