How to resolve problems with spf / softfail?
You can only have one SPF record. Since you created four of them, which one actually gets used is essentially random. You should combine them together into a single record.
You can only have one SPF record. Since you created four of them, which one actually gets used is essentially random. You should combine them together into a single record.
The void lookup limit was introduced in RFC 7208 and refers to DNS lookups which either return an empty response (NOERROR with no answers) or an NXDOMAIN response. This is a separate count from the 10 DNS lookup overall count. As described at the end of Section 11.1, there may be cases where it is … Read more
Sondra, you already found a related question, but the highest scoring answer doesn’t do justice to your questions, in my opinion. Let me start with your last question: What is the likelihood that a forged phishing email which SPF SoftFails actually gets to someone’s inbox? Huge! Combined with DMARC quarantine/reject policy and the receiving mailbox … Read more
Mostly already answered, please do note including Google this way is wrong – you want to use _spf.google.com or incur a penalty for the redirect: ○ → host -t txt aspmx.googlemail.com aspmx.googlemail.com descriptive text “v=spf1 redirect=_spf.google.com” ○ → host -t txt _spf.google.com _spf.google.com descriptive text “v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all” That lookup will consume 5/10 … Read more
No you can’t. That is not the correct SPF record, and it is not the correct address of Google’s SPF record. Anyone with the control of a reverse DNS domain can make any IP have any name he/she wants, like “google.com”, “whitehouse.gov”, etc. Allowing reverse matches at all would be very wrong. The “include” feature … Read more
Technically, yes, there is a difference. According to the SPF Record Syntax, a plus sign (+) indicates that the record should pass, no questions asked. The absence of a plus sign, or the inclusion of a question mark (?) indicates neutral status — the domain owner is not offering an opinion about whether the message … Read more
Use the redirect modifier to “replace” the SPF record for the alias domain with that of the primary domain. Thus, the SPF record for aliasdomain.com ends up looking like this: v=spf1 redirect=primarydomain.com Note that no all mechanism is required, the final clause of the primarydomain.com record will apply.
The point would largely boil down to being a good citizen and reducing abuse, like making your domain less useful for spammers to impersonate and to make it immediately clear to others that mail is not deliverable there. If the claim is accurate that the domain is not used for either sending or receiving email … Read more
Yes, you are interpreting it correctly. I have recently dealt with this. This article was helpful to me: Can I have a TXT or SPF record longer than 255 characters? A notable example of this concept in practice would be the SPF record for cisco.com as of 2/25/2016: > ;; QUESTION SECTION: ;cisco.com. IN TXT … Read more
Yes, there might be caching or other delays depending on how the zone is being edited (nsupdate results in fairly immediate changes, less so if some web front-end talks to a database that maybe eventually does something to update a zone), how zone transfers are done (the master DNS server might push changes, or the … Read more