Closed valeriansaliou closed 11 months ago
Can you check the IPs manually using the cli?
$ mailauth spf -v -f digitalocean.com -i 54.173.229.38
{
"domain": "digitalocean.com",
"client-ip": "54.173.229.38",
"envelope-from": "postmaster@digitalocean.com",
"rr": "v=spf1 include:spf.digitalocean.com include:_spf.google.com include:_spf.salesforce.com include:mg-spf.greenhouse.io include:helpscoutemail.com -all",
"status": {
"result": "pass",
It is more likely that it is the DNS that is failing - to resolve these large SPF records, mailauth needs to run a large number of DNS queries, and if you run a busy server and the DNS system is not tuned correctly, or you are using an external provider, then these queries might start to fail, or are throttled.
Helllo Andris, thank you for the quick answer. I've narrowed it down to a production DNS system resolver issue, while the issue was not here / not replicable on my development environment. Definitely not related to mailauth
, I'm closing this.
To be more specific, this seems to be an issue with DNS TCP request, where the production resolver only attempts using UDP, and gets a partial fragmented response, for which it'll consider it's done and therefore resolve with some but not all TXT records, which do not contain the SPF record.
Hey @andris9, thank you so much for your work on
mailauth
. I'd frandkly have built this library myself if you did not do it first, thanks again for that.I'm using
mailauth
on a busy inbound mail server, successfully, however I'm seeing instances where SPF validation fails, with the following eg. output:Checking
digitalocean.com
manually, it appears that their SPF policy is valid. Note that I've raised the DNS resolution limit from 10 to 20 just to be safe, as they are well above the 10 resolutions limit.Their policy is as such:
When digging
_spf.salesforce.com
, it appears that they are using the SPFexists
method:I got the very same error for the
siemens.com
domain name, which has a valid (though huge) SPF policy, and which is also using theexists
method:It appears that SPF results containing the following pattern:
exists:%{i}
lead tomailauth
thinking that there is no SPF policy at all on the domain.