No. You are right. See RFC 4408, section 4.5. Records that do not begin with a version section of exactly “v=spf1” are discarded. Note that the version section is terminated either by an SP character or the end of the record. A record with a version section of “v=spf10” does not match and must be … Read more
Pretty much what it says on the tin. In the first case, domain 2’s SPF record is included in the SPF record for domain1, but can still be modified eg by adding another A host that isn’t permitted for domain2.com: “v=spf1 include:domain2.com a:othermailhost.domain1.com -all” In the second case, domain2’s SPF record is used as the … Read more
From RFC 4408: 3.1.2. Multiple DNS Records A domain name MUST NOT have multiple records that would cause an authorization check to select more than one record. See Section 4.5 for the selection rules. I’m not entirely sure what you want to achieve by adding a second record, but if it is something like adding … Read more
With DKIM only, there is no way for a receiving server to know where to find the DKIM key for your domain because the signature of the email is what includes the selector DNS record location, which is assigned by each mail server admin. So mail servers receiving emails from other servers will not be … Read more
You can only have one SPF record (https://www.rfc-editor.org/rfc/rfc4408#section-3.1.2). You need to combine them like so: v=spf1 include:spf.mandrillapp.com include:spf.protection.outlook.com -all or v=spf1 include:spf.mandrillapp.com include:spf.protection.outlook.com ?all
SPF has many more rankings than Pass/Fail. Using these in heuristically scoring spam makes the process easier and more accurate. Failing on account of “advanced setups” indicates the mail admin didn’t know what he was doing in setting up the SPF record. There’s no setup that SPF can’t account for correctly. Cryptography doesn’t work in … Read more
I can vouch for #2 (reverse PTR) being important, but not #4 (mail server domain matching “from”). We set up mail servers all the time, and most mail hosts don’t really even care about #2. The main thorn is always AOL, and they list standards you can check off.
Both libspf2 (C) and Mail::SPF::Query (perl, used in sendmail-spf-milter) implement a limit of 10 DNS-causing mechanisms, but the latter does not (AFAICT) apply the MX or PTR limits. libspf2 limits each of mx and ptr to 10 also. Mail::SPF (perl) has a limit of 10 DNS-causing mechanisms, and a limit of 10 lookups per mechanism, … Read more
Once DKIM was setup (for help, see this guide) and verified successfully on my domain I still had to enable it in the AWS console at SES -> Domains -> DKIM Once that was done mails to Gmail no longer show up with the via bounces address. You can see it still shows as mailed … Read more
Well, it was certainly not the intent of the specification for it to be used instead – softfail is intended as a transition mechanism, where you can have the messages marked without rejecting them outright. As you’ve found, failing messages outright tends to cause problems; some legitimate services, for example, will spoof your domain’s addresses … Read more