SPF record validation – best guess only

computhomas asked:

I administrate the domain [mydomain.com] which was until now only used for handling mail through Google Mail/Google Apps.

Now I added a server which should be part of the domain without changing the primary purpose. I want the server to be able to send simple administrative mail, so I installed and configured sendmail.

When I send testmails to another Google Mail address the mail gets through but I get this header information:

Received-SPF: pass (google.com: best guess record for domain of
[myuser]@[myhost].[mydomain].com designates [myipv6address]
as permitted sender) client-ip=[myipv6address];

Now of course I want the validation to pass without guessing but I have probably something wrong in my DNS record.

$TTL 86400
@   IN SOA [mynameserver1]. (
    2013101002   ; serial
    14400        ; refresh
    1800         ; retry
    604800       ; expire
    86400 )      ; minimum

@            IN NS      [mynameserver3].
@            IN NS      [mynameserver2].
@            IN NS      [mynameserver1].

@            IN A       [myipv4address]
[myhost]     IN A       [myipv4address]

@            IN AAAA    [myipv6address]
[myhost]     IN AAAA    [myipv6address]

@            IN MX 1    ASPMX.L.GOOGLE.COM.
@            IN MX 5    ALT1.ASPMX.L.GOOGLE.COM.
@            IN MX 5    ALT2.ASPMX.L.GOOGLE.COM.
@            IN MX 10   ASPMX2.GOOGLEMAIL.COM.
@            IN MX 10   ASPMX3.GOOGLEMAIL.COM.
@            IN TXT     "v=spf1 a:[myhost].[mydomain].com ip4:[myipv4address]
                        ip6:[myipv6address] include:_spf.google.com ~all"

I can’t find the error and would appreciate any help.

Best regards,


My answer:

You sent email from an address which contains a subdomain of your domain. Your domain has an SPF record, but the subdomain does not. Thus Google makes a “best guess” that your domain’s SPF record should be used. This violates the specification, under which your subdomain would not be considered to have an SPF record, but it usually reflects what senders (whose mail systems are misconfigured) intended.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.