How to resolve problems with spf / softfail?

Jim Miller asked:

I’m having problems with Google rejecting mail because of SPF problems. I thought I had this fixed, but evidently not…

The mail is being sent from a Drupal site running mimemail. A message that shows the problem looks like:

Delivered-To: reg@receiver.com
Received: by 10.112.47.229 with SMTP id g5csp300564lbn;
        Wed, 2 Apr 2014 10:21:06 -0700 (PDT)
X-Received: by 10.66.249.233 with SMTP id yx9mr1407538pac.3.1396459264202;
        Wed, 02 Apr 2014 10:21:04 -0700 (PDT)
Return-Path: <sender@sender.com>
Received: from sender.com (sender.com. [xxx.xxx.xxx.xxx])
        by mx.google.com with ESMTP id m8si1612133pbd.503.2014.04.02.10.21.03
        for <reg@receiver.com>;
        Wed, 02 Apr 2014 10:21:04 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning sender@sender.com does not designate xxx.xxx.xxx.xxx as permitted sender) client-ip=xxx.xxx.xxx.xxx;
Authentication-Results: mx.google.com;
       spf=softfail (google.com: domain of transitioning sender@sender.com does not designate xxx.xxx.xxx.xxx as permitted sender) smtp.mail=sender@sender.com
Received: by sender.com (Postfix, from userid 48)
    id 3E486101774; Wed,  2 Apr 2014 17:21:02 +0000 (UTC)
To: "reg" <reg@receiver.com>
Subject: Message Subject here
X-PHP-Originating-Script: 501:mimemail.module
MIME-Version:1.0
Content-Type:multipart/mixed;
 boundary="ca08a4eb4d5f903d3ee41d8632611e3ff9f7e67713"
Content-Transfer-Encoding:8Bit
X-Mailer:Drupal
Sender:Sender <sender@sender.com>
From:Sender <sender@sender.com>
Message-Id: <20140402172102.3E486101774@sender.com>
Date: Wed,  2 Apr 2014 17:21:02 +0000 (UTC)

This is a multi-part message in MIME format.

--ca08a4eb4d5f903d3ee41d8632611e3ff9f7e67713
Content-Type:multipart/alternative;
 boundary="2db314e2a942d712c21894936b800a2c7998463d12"
Content-Transfer-Encoding:8bit


--2db314e2a942d712c21894936b800a2c7998463d12
Content-Type:text/plain; charset=utf-8
Content-Disposition:inline
Content-Transfer-Encoding:8bit

Message text goes here...

--2db314e2a942d712c21894936b800a2c7998463d12
Content-Type:text/html; charset=utf-8
Content-Disposition:inline
Content-Transfer-Encoding:8Bit

<html>
<html text goes here>
</html>

--2db314e2a942d712c21894936b800a2c7998463d12--

--ca08a4eb4d5f903d3ee41d8632611e3ff9f7e67713--

[Apologies for the anonomyzing.]

The SPF records for the domain, obtained from http://www.whatsmyip.us/txt, look like:

v=spf1 ip4:xxx.xxx.xxx.xxx ~all , ttl : 14144
v=spf1 include:_spf.google.com ~all , ttl : 14144
v=spf1 a -all , ttl : 14144
v=spf1 ip4:xxx.xxx.xxx.yyy ~all , ttl : 14144

similarly anonymized.

I can’t figure out what’s wrong — the appropriate SPF records seem to be in place. The only issue I can see is that I have indeed set up (or tried to set up) two servers as legal senders for the domain; this is meant to cover both a production and a development server (let’s call them sender.com and dev.sender.com). Is this an issue?

Any thoughts about what’s wrong? Again, I thought this was once working correctly, but it’s definitely not now. Thanks!

My answer:


You can only have one SPF record. Since you created four of them, which one actually gets used is essentially random. You should combine them together into a single record.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.