Issue with SPF syntax
-
Hello,
I am having issues receiving emails from a supplier of ours. The error is in the SPF lookup:
Tue 2024-01-09 06:59:42: Performing SPF lookup (lanhaiceramics.com / 183.56.219.201)Tue 2024-01-09 06:59:43: * Policy: v=spf1 include:corp.21cn.com. -allTue 2024-01-09 06:59:43: * Evaluating include:corp.21cn.com.: performing lookupTue 2024-01-09 06:59:43: * Evaluating include:corp.21cn.com.: no match; no SPF record in DNSTue 2024-01-09 06:59:43: * Evaluating -all: matchTue 2024-01-09 06:59:43: * Result: failTue 2024-01-09 06:59:43: ** Reject 550 183.56.219.201 is not allowed to send mail as lanhaiceramics.comNow, I think the error stems from the dot behind com:Policy: v=spf1 include:corp.21cn.com. -allOne of the reasons why I believe so is because I did a syntax check:Passed with Warnings
The policy is syntactically valid, but there are warnings—it may not work as you would expect.
- WARNING
The domain name for the "include" mechanism ends with a dot. Trailing dots should not be used, because they introduce ambiguity. Evaluation results may depend on the SPF client implementation.
Might this be the issue and if so, is there a work-around or a bug that can be fixed?Thank you very much!Best regards,Johan
- WARNING
-
Arron Staff
Its a bug in SecurityGateway, the "." after the domain name is not being hanlded correctly. You can work around it by adding the sending IP to the allow list. We hope to have a fix available in a couple of days.
-
Hello Arron,
To be clear, that would be in patch 9.5.3 correct?
-
Arron Staff
We are intending to include the fix in SecurityGateway 9.5.3.
-
Any update on when we can whitelist certain domains from failing SPF, or is addin them to the Allowlist the answer?
BTW, spending 5 minutes checking Bus's, bycicles, traffic lights and motorcycles is getting very tiring on this website.
-
Arron Staff
Currently in order to exclude a mesage from SPF processing you have to add them to the sending domain, ip, or host, to the allow list.
-
I have the Domain in my Allowlist, yet still get the SPF failure.
-
Arron Staff
Sorry, I read the options incorrectly. In order to allow list a connection from SPF you have to add the connecting IP address to the allow list.