Mailing List Archive

> I have the simonandkate.net domain. This domain has two mx records -
> mail.simonandkate.net 10 and mail.bluetie.com 20.
>
> My SPF record currently reads:
>
> v=spf1 a mx ~all
>
> Email to spf-test@openspf.org returns the following
>
> SPF Tests:
> Mail-From Result="pass": Mail From="simon@simonandkate.net" HELO
> name="mail.simonandkate.net" HELO Result="permerror" Remote
> IP="59.167.212.191" (in reply to RCPT TO command)
>
> Why does the HELO result in a permerror? How do I fix the HELO test?
>
> mail.simonandkate.net resolves to 59.167.212.191 which is PTR'ed back
> to mail.simonandkate.net.
>
Looking to see what SPF record their might be for mail.simandkate.net I got:

; <<>> DiG 9.5.1-P2 <<>> txt mail.simonandkate.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53675
;; flags: qr rd ra; QUERY: 1, ANSWER: 20, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;mail.simonandkate.net. IN TXT

;; ANSWER SECTION:
mail.simonandkate.net. 3600 IN CNAME www.simonandkate.net.
www.simonandkate.net. 3600 IN CNAME www.simonandkate.net.
www.simonandkate.net. 3600 IN CNAME www.simonandkate.net.
www.simonandkate.net. 3600 IN CNAME www.simonandkate.net.
www.simonandkate.net. 3600 IN CNAME www.simonandkate.net.
www.simonandkate.net. 3600 IN CNAME www.simonandkate.net.
www.simonandkate.net. 3600 IN CNAME www.simonandkate.net.
www.simonandkate.net. 3600 IN CNAME www.simonandkate.net.
www.simonandkate.net. 3600 IN CNAME www.simonandkate.net.
www.simonandkate.net. 3600 IN CNAME www.simonandkate.net.
www.simonandkate.net. 3600 IN CNAME www.simonandkate.net.
www.simonandkate.net. 3600 IN CNAME www.simonandkate.net.
www.simonandkate.net. 3600 IN CNAME www.simonandkate.net.
www.simonandkate.net. 3600 IN CNAME www.simonandkate.net.
www.simonandkate.net. 3600 IN CNAME www.simonandkate.net.
www.simonandkate.net. 3600 IN CNAME www.simonandkate.net.
www.simonandkate.net. 3600 IN CNAME www.simonandkate.net.
www.simonandkate.net. 3600 IN CNAME www.simonandkate.net.
www.simonandkate.net. 3600 IN CNAME www.simonandkate.net.
www.simonandkate.net. 3600 IN CNAME www.simonandkate.net.

;; Query time: 533 msec
;; SERVER: 192.168.111.254#53(192.168.111.254)
;; WHEN: Thu May 14 01:36:54 2009
;; MSG SIZE rcvd: 323

So your DNS server is reporting server failure and returning 20 copies of
a cname to www.simonandkate.net.

Fixing that will solve the error.

Scott K


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Quoting Scott Kitterman <scott@kitterman.com>:

>> I have the simonandkate.net domain. This domain has two mx records
-
>> mail.simonandkate.net 10 and mail.bluetie.com 20.
>>
>> My SPF record currently reads:
>>
>> v=spf1 a mx ~all
>>
>> Email to spf-test@openspf.org returns the following
>>
>> SPF Tests:
>> Mail-From Result="pass": Mail From="simon@simonandkate.net"
HELO
>> name="mail.simonandkate.net" HELO Result="permerror" Remote
>> IP="59.167.212.191" (in reply to RCPT TO command)
>>
>> Why does the HELO result in a permerror? How do I fix the HELO
test?
>>
>> mail.simonandkate.net resolves to 59.167.212.191 which is PTR'ed
back
>> to mail.simonandkate.net.
>>
> Looking to see what SPF record their might be for
mail.simandkate.net I got:
>
> ; <<>> DiG 9.5.1-P2 <<>> txt mail.simonandkate.net
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53675
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 20, AUTHORITY: 0, ADDITIONAL:

>
> ;; QUESTION SECTION:
> ;mail.simonandkate.net. IN TXT
>
> ;; ANSWER SECTION:
> mail.simonandkate.net. 3600 IN CNAME
www.simonandkate.net.
> www.simonandkate.net. 3600 IN CNAME
www.simonandkate.net.
> www.simonandkate.net. 3600 IN CNAME
www.simonandkate.net.
> www.simonandkate.net. 3600 IN CNAME
www.simonandkate.net.
> www.simonandkate.net. 3600 IN CNAME
www.simonandkate.net.
> www.simonandkate.net. 3600 IN CNAME
www.simonandkate.net.
> www.simonandkate.net. 3600 IN CNAME
www.simonandkate.net.
> www.simonandkate.net. 3600 IN CNAME
www.simonandkate.net.
> www.simonandkate.net. 3600 IN CNAME
www.simonandkate.net.
> www.simonandkate.net. 3600 IN CNAME
www.simonandkate.net.
> www.simonandkate.net. 3600 IN CNAME
www.simonandkate.net.
> www.simonandkate.net. 3600 IN CNAME
www.simonandkate.net.
> www.simonandkate.net. 3600 IN CNAME
www.simonandkate.net.
> www.simonandkate.net. 3600 IN CNAME
www.simonandkate.net.
> www.simonandkate.net. 3600 IN CNAME
www.simonandkate.net.
> www.simonandkate.net. 3600 IN CNAME
www.simonandkate.net.
> www.simonandkate.net. 3600 IN CNAME
www.simonandkate.net.
> www.simonandkate.net. 3600 IN CNAME
www.simonandkate.net.
> www.simonandkate.net. 3600 IN CNAME
www.simonandkate.net.
> www.simonandkate.net. 3600 IN CNAME
www.simonandkate.net.
>
> ;; Query time: 533 msec
> ;; SERVER: 192.168.111.254#53(192.168.111.254)
> ;; WHEN: Thu May 14 01:36:54 2009
> ;; MSG SIZE rcvd: 323
>
> So your DNS server is reporting server failure and returning 20
copies of
> a cname to www.simonandkate.net.
>
> Fixing that will solve the error.
>
> Scott K
>
>
> -------------------------------------------
> Sender Policy Framework: http://www.openspf.org
> Modify Your Subscription: http://www.listbox.com/member/
> Archives: https://www.listbox.com/member/archive/1020/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/1020/
> Powered by Listbox: http://www.listbox.com
>
>

OK, that's confusing - if I dig mail.simonandkate.net I get:

[root@server04 ~]# dig mail.simonandkate.net

; <<>> DiG 9.3.4-P1 <<>> mail.simonandkate.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40080
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;mail.simonandkate.net. IN A

;; ANSWER SECTION:
mail.simonandkate.net. 3504 IN A 59.167.212.191

;; AUTHORITY SECTION:
simonandkate.net. 71830 IN NS ns2.planetdomain.com.
simonandkate.net. 71830 IN NS ns1.planetdomain.com.

;; ADDITIONAL SECTION:
ns1.planetdomain.com. 541 IN A 202.131.95.2
ns2.planetdomain.com. 2004 IN A 202.124.241.2

;; Query time: 10 msec
;; SERVER: 192.168.1.145#53(192.168.1.145)
;; WHEN: Thu May 14 16:36:21 2009
;; MSG SIZE rcvd: 139


If I dig txt simonandkate.net (the sending email domain) I get:

[root@server04 ~]# dig txt simonandkate.net

; <<>> DiG 9.3.4-P1 <<>> txt simonandkate.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2876
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;simonandkate.net. IN TXT

;; ANSWER SECTION:
simonandkate.net. 3600 IN TXT "v=spf1 a mx ~all"

;; AUTHORITY SECTION:
simonandkate.net. 71079 IN NS ns1.planetdomain.com.
simonandkate.net. 71079 IN NS ns2.planetdomain.com.

;; ADDITIONAL SECTION:
ns1.planetdomain.com. 3410 IN A 202.131.95.2
ns2.planetdomain.com. 1253 IN A 202.124.241.2

;; Query time: 42 msec
;; SERVER: 192.168.1.145#53(192.168.1.145)
;; WHEN: Thu May 14 16:48:52 2009
;; MSG SIZE rcvd: 147


No idea why you are getting all the www entries.


A dig -x 59.167.212.191:

[root@server04 ~]# dig -x 59.167.212.191

; <<>> DiG 9.3.4-P1 <<>> -x 59.167.212.191
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54907
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 2

;; QUESTION SECTION:
;191.212.167.59.in-addr.arpa. IN PTR

;; ANSWER SECTION:
191.212.167.59.in-addr.arpa. 37329 IN PTR mail.simonandkate.net.

;; AUTHORITY SECTION:
212.167.59.in-addr.arpa. 37329 IN NS ns3.internode.net.au.
212.167.59.in-addr.arpa. 37329 IN NS ns4.on.net.
212.167.59.in-addr.arpa. 37329 IN NS ns1.on.net.
212.167.59.in-addr.arpa. 37329 IN NS ns2.on.net.au.

;; ADDITIONAL SECTION:
ns1.on.net. 73705 IN A 216.200.145.64
ns4.on.net. 69079 IN A 192.231.203.3

;; Query time: 1 msec
;; SERVER: 192.168.1.145#53(192.168.1.145)
;; WHEN: Thu May 14 16:51:45 2009
;; MSG SIZE rcvd: 206


DNS for my domain is hosted at planetdomain. Entries are as follows:

simonandkate.net. 3600 IN SOA ns1.planetdomain.com.
abuse.planetdomain.com. (
2009051401 ; Serial
14400 ; Refresh
7200 ; Retry
3600000 ; Expire
172800 ) ; Minimum
mail 3600 IN A 59.167.212.191
server 3600 IN A 59.167.212.191
www 3600 IN A 59.167.212.191
blog 3600 IN A 59.167.212.191
tflux 3600 IN A 59.167.212.191
gallery 3600 IN A 59.167.212.191
system 3600 IN A 59.167.212.191
family 3600 IN A 59.167.212.191
* 3600 IN CNAME www.simonandkate.net.
system 3600 IN MX 10 mail.simonandkate.net.
family 3600 IN MX 10 mail.simonandkate.net.
simonandkate.net 3600 IN MX 20 mail.bluetie.com.
simonandkate.net 3600 IN MX 10 mail.simonandkate.net.
simonandkate.net. 3600 IN NS ns1.planetdomain.com.
simonandkate.net. 3600 IN NS ns2.planetdomain.com.
simonandkate.net. 3600 IN TXT v=spf1 a mx ~all

Do I need an SPF TXT record for the mail server or for the domain?

I have incoming SPF validation working fine in Postfix, just need to
get my head around this bit...

Thanks for your help.

--
Simon Wilson
www.simonandkate.net


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Quoting Simon Wilson <simon@simonandkate.net>:

> Quoting Scott Kitterman <scott@kitterman.com>:
>
>>> I have the simonandkate.net domain. This domain has two mx
records
> -
>>> mail.simonandkate.net 10 and mail.bluetie.com 20.
>>>
>>> My SPF record currently reads:
>>>
>>> v=spf1 a mx ~all
>>>
>>> Email to spf-test@openspf.org returns the following
>>>
>>> SPF Tests:
>>> Mail-From Result="pass": Mail From="simon@simonandkate.net"
> HELO
>>> name="mail.simonandkate.net" HELO Result="permerror" Remote
>>> IP="59.167.212.191" (in reply to RCPT TO command)
>>>
>>> Why does the HELO result in a permerror? How do I fix the HELO
> test?
>>>
>>> mail.simonandkate.net resolves to 59.167.212.191 which is PTR'ed
> back
>>> to mail.simonandkate.net.
>>>
>> Looking to see what SPF record their might be for
> mail.simandkate.net I got:

>> So your DNS server is reporting server failure and returning 20
> copies of
>> a cname to www.simonandkate.net.
>>
>> Fixing that will solve the error.
>>
>> Scott K
>>
>>
>> -------------------------------------------
>> Sender Policy Framework: http://www.openspf.org
>> Modify Your Subscription: http://www.listbox.com/member/
>> Archives: https://www.listbox.com/member/archive/1020/=now
>> RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>> Powered by Listbox: http://www.listbox.com
>>
>>
>
> OK, that's confusing - if I dig mail.simonandkate.net I get:
>

>
> Do I need an SPF TXT record for the mail server or for the domain?
>
> I have incoming SPF validation working fine in Postfix, just need
to
> get my head around this bit...
>
> Thanks for your help.
>

OK, reading the FAQ again has helped me a bit :-)

I found the bit that says "Publish SPF records for HELO names used by
your mail servers" which kinda shed a little light...

So I have now done that - I have added the following TXT DNS record:

mail.simonandkate.net. 3600 IN TXT v=spf1 a ~all

It appears I also need to add TXT null SPF records for all my
DNS-published non-emailing hosts and subdomains, and SPF records for
the subdomains with MX?

So my domain SPF record should list all hosts or IPs that send email
from simonandkate.net. Having an "a" in my simonandkate.net SPF is a
waste of time as I don't have an "a" record for the domain itself,
yes? "mx" would work in there though, as I have "mx" records for the
domain.

Still no idea why you are getting the multiple CNAME records though.
Can you see if that is gone now that I have put in the SPF record for
the mail server?

Thanks again.

Simon.

--
Simon Wilson
www.simonandkate.net


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

On Thu, May 14, 2009 at 07:53, Simon Wilson <simon@simonandkate.net> wrote:
> *       3600    IN      CNAME   www.simonandkate.net.

That says that <anything>.simonandkate.net is a CNAME for
www.simonandkate.net, which is why Scott saw what he did.

Either remove the wildcard, or specify only IP addresses in your SPF
records (which is generally the right thing to do anyway).

--
Please keep list traffic on the list.

Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com