Issue with SPF syntax | MDaemon Technologies, Ltd.

Issue with SPF syntax


  • Hello,

     

    I am having issues receiving emails from a supplier of ours. The error is in the SPF lookup:

    Tue 2024-01-09 06:59:42: Performing SPF lookup (lanhaiceramics.com / 183.56.219.201)
    Tue 2024-01-09 06:59:43: * Policy: v=spf1 include:corp.21cn.com. -all
    Tue 2024-01-09 06:59:43: * Evaluating include:corp.21cn.com.: performing lookup
    Tue 2024-01-09 06:59:43: * Evaluating include:corp.21cn.com.: no match; no SPF record in DNS
    Tue 2024-01-09 06:59:43: * Evaluating -all: match
    Tue 2024-01-09 06:59:43: * Result: fail
    Tue 2024-01-09 06:59:43: ** Reject 550 183.56.219.201 is not allowed to send mail as lanhaiceramics.com
     
    Now, I think the error stems from the dot behind com:
    Policy: v=spf1 include:corp.21cn.com. -all
     
    One of the reasons why I believe so is because I did a syntax check:

    Passed with Warnings

    The policy is syntactically valid, but there are warnings—it may not work as you would expect.

    • WARNING
      The domain name for the "include" mechanism ends with a dot. Trailing dots should not be used, because they introduce ambiguity. Evaluation results may depend on the SPF client implementation.
     
    Might this be the issue and if so, is there a work-around or a bug that can be fixed?
     
    Thank you very much!
     
    Best regards,
    Johan


  • Its a bug in SecurityGateway, the "." after the domain name is not being hanlded correctly.  You can work around it by adding the sending IP to the allow list. We hope to have a fix available in a couple of days.


  • Hello Arron,

    To be clear, that would be in patch 9.5.3 correct? 


  • We are intending to include the fix in SecurityGateway 9.5.3.  


  • Any update on when we can whitelist certain domains from failing SPF, or is addin them to the Allowlist the answer?

    BTW, spending 5 minutes checking Bus's, bycicles, traffic lights and motorcycles is getting very tiring on this website.


  • Currently in order to exclude a mesage from SPF processing you have to add them to the sending domain, ip, or host, to the allow list.


  • I have the Domain in my Allowlist, yet still get the SPF failure.


  • Sorry, I read the options incorrectly.  In order to allow list a connection from SPF you have to add the connecting IP address to the allow list.


Please login to reply this topic!