Is your SPF Record Complete?

The Sender Policy Framework (SPF) is becoming increasingly important as more and more hosts enable it. Chances are that your domain has a SPF record, but is it complete and correct? If not then your mail is likely to end up in the recipients spam folder, or worse bounce completely.

It's obvious once you've been caught out by it, but is the IPv6 address for your server included in the record? Something that's particularly likely if you've enabled IPv6 support since you created your SPF record.

It's not particularly often that your MTA will use IPv6, but it does happen, and if the address isn't included you're going to experience issues.

The quickest way to check, is to grab your servers IPv6 address with

ifconfig

and then put it into the bottom form on this SPF Testing Tool. You may not have explicitly allowed it in the record, but depending on what is declared, the receiving mail server mail well be able to grab the data from the relevant AAAA record.

If you encounter a fail, you're going to need to add the servers' IPv6 address to your SPF record.

So assuming you currently have

v=spf1 ip4:192.168.1.0/24 ~all

You'll want to update to

v=spf1 ip4:192.168.1.0/24 ip6:2021:48a1:7f18:16:3ga5:61a1:ffa0:7721 ~all

You can, of course, specify the IPv6 address in CIDR notation if you'd prefer. If you copy and paste the resulting record into the tool linked to above, you can check the result. Once you're happy, save the record and wait for the changes to propagate (the tester above appears to cache).

There don't seem to be that many testers out there that support IPv6. You could email spf-test@openspf.net but 9 times out of 10 it'll connect via IPv4, it's still well worth a try though, if only to check the record is working correctly - the mail will bounce but the SPF status will be contained in the headers

3D4FF2025F: to=<spf-test@openspf.net>, 
relay=mailout02.controlledmail.com[72.81.252.18]:25, delay=7, delays=0.01/0/6.3/0.66, dsn=5.7.1,
status=bounced (host mailout02.controlledmail.com[72.81.252.18] said: 550 5.7.1 <spf-test@openspf.net>: Recipient address rejected:

SPF Tests: Mail-From Result="pass":

Mail From="test@example.com"
HELO name="mail.example.com" HELO Result="none" Remote IP="1.2.3.4" (in reply to RCPT TO command))

 

 
 Share