1 (edited by Chrissicom 2023-04-25 06:13:56)

Topic: SPF Check not working for incoming mail

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.6.2
- Linux/BSD distribution name and version: Rocky Linux 8
- Manage mail accounts with iRedAdmin-Pro? No
====

I am having a problem with SPF checks and Spamassassin tagging on incoming E-mails. Here is an example of the tagging:

X-Spam-Status: No, score=2.614 tagged_above=-999 required=2.9
    tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
    DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_IMAGE_ONLY_32=2.2,
    HTML_IMAGE_RATIO_02=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.25,
    SPF_NONE=0.35, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001]

As you can see SPF_NONE and SPF_HELO_NONE is set which according to the manual means that no SPF or SPF_HELO record has been found on the domain. The issue is that every incoming E-Mail is getting this tag, even if they come from e.g. gmail.com which has a valid SPF record so I should get a SPF_PASS in the header. Even when I am trying to forge the sender myself I get a SPF_NONE instead of the required SPF_FAIL.

Unfortunately I don't know where to start looking for a possible configuration error since SPAM tagging and everything else is working without issues. The non-working SPF checks is the only issue I have with the mail server.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: SPF Check not working for incoming mail

Try to turn on debug mode and check how SPF module works: https://docs.iredmail.org/debug.amavisd.html

3

Re: SPF Check not working for incoming mail

I have fixed it as gmail.com e.g. now results in a SPF_PASS.

The issue was to my surprise that using 1.1.1.1 (Cloudflare DNS) did not work. I have setup my own recursive caching DNS for localhost use only and now all SPF lookups work.

As a side effect RDNS lookups are improved too. What I did not notice before is that many providers like Zenhaus block queries by 1.1.1.1 due to the vast amount of queries through that DNS.

4

Re: SPF Check not working for incoming mail

Thanks for sharing. smile