[SOLVED] SPF record woes

Beluga · October 28, 2015, 2:59pm

I’m having trouble getting my SPF and DKIM records to be discovered, but I’ll let this be about SPF to keep things simple.

My server is a Kimsufi, from OVH Hosting. BIND was set up by Virtualmin and later I only added a PTR record (works fine) and SPF + DKIM.

So far, http://dkimvalidator.com/ provided the best clue (I anonymized my domain infos):

Helo Address = ns000000.ip-000-000-000.eu
From Address = admin@mydomain.com
From IP = 000.000.000.000
SPF Record Lookup

Looking up TXT SPF record for mydomain.com
Found the following namesevers for mydomain.com: ns000000.ip-000-000-000.eu ns.kimsufi.com
Retrieved this SPF Record: zone updated 20151027 (TTL = 21599)
using authoritative server (ns000000.ip-000-000-000.eu) directly for SPF Check
Result: none (No applicable sender policy available)

Result code: none
Local Explanation: mydomain.com: No applicable sender policy available
spf_header = Received-SPF: none (mydomain.com: No applicable sender policy available) receiver=dkimvalidator.com; identity=mailfrom; envelope-from="admin@mydomain.com"; helo=ns000000.ip-000-000-000.eu; client-ip=000.000.000.000

This is making me think the SPF record is fetched from somewhere else than my nameserver: Retrieved this SPF Record: zone updated 20151027

OVH support confirmed that ns.kimsufi.com is a slave replicating its information from my primary name server. They said I should ignore what stuff is in the OVH control panel (even though I had copied the same records there to make sure). My domain is not registered through OVH.

My SPF record is defined in /etc/bind/zones/db.mydomain.com as:

mydomain.com. IN TXT “v=spf1 a mx a:mydomain.com mx:mydomain.com ip4:000.000.000.000 ip6:0000:0000:0:0000::1 include:mydomain.com ?all”

This validator says the syntax is fine: http://vamsoft.com/support/tools/spf-syntax-validator

Why does the dkimvalidator say my SPF Record is “zone updated 20151027?”
How can I debug this mess?

I’ve tried for almost 2 weeks and by now my syntax and settings for both SPF and DKIM should be perfect, but it seems they are not even being transmitted!

I’ve set $TTL 300 temporarily so I should now be able to test changes faster.

http://www.intodns.com/ gives me good results. The only error besides SPF & DKIM is:
ERROR: One or more of your nameservers did not respond:
The ones that did not respond are:
000.000.000.000

That is the IP of the server, but I don’t have an NS defined with purely the IP…
The DNSreport here does not give such an error: http://www.dnsstuff.com/tools

Diabolico · October 29, 2015, 12:08am

Its hard to see where is the problem not knowing the domain and what is inside your zone file but you can use https://www.unlocktheinbox.com/resources/emailauthentication/ and check by yourself what is wrong.

Beluga · October 29, 2015, 10:53am

Thanks, that unlocktheinbox was better than anything I’ve tried so far.

This caught my eye:
Authoritative DNS Server (SOA) Check for: mydomain.com
SOA Server Results
ns000000.ip-000-000-000.eu Failed - No Results Returned, Using Public DNS to perform lookups.

What could I do about that problem? I think it is the cause of this.

Should I try changing completely to OVH’s DNSes:
dns106.ovh.net.
ns106.ovh.net.

Instead of the current ones:
ns000000.ip-000-000-000.eu
ns.kimsufi.com

My zone file apart from the SPF and DKIM records is:
$TTL 300 ;$TTL 86400 mydomain.com. IN SOA ns000000.ip-000-000-000.eu. hostmaster.mydomain.com. ( 2013121226 28800 3600 604800 86400 ) mydomain.com. IN NS ns000000.ip-000-000-000.eu. mydomain.com. IN NS ns.kimsufi.com. mydomain.com. IN A 000.000.000.000 www IN A 000.000.000.000 mydomain.com. IN MX 5 ns000000.ip-000-000-000.eu.

Edit: ok, I got a confirmation from OVH that my own ns does not return the SOA field, so it is fetched from ns.kimsufi.com.
How could I make it work?

Edit2: I have this reverse zone:
/etc/bind/zones/rev.000.000.000.000.in-addr.arpa @ IN SOA mydomain.com. hostmaster.mydomain.com. ( 2013121217; 28800; 604800; 604800; 86400 ); IN NS ns000000.ip-000-000-000.eu. 77 IN PTR mydomain.com.

Diabolico · October 29, 2015, 11:46am

This is one example how fully working zone file looks:
$ttl 3600s @ IN SOA ns1.mydomain.com. postmaster.mydomain.com. ( 2015043068 3600 900 1209600 3600 ) @ IN NS ns1.mydomain.com. @ IN NS ns2.mydomain.com. mydomain.com. IN A 111.111.111.111 www.mydomain.com. IN A 111.111.111.111 ftp.mydomain.com. IN A 111.111.111.111 m.mydomain.com. IN A 111.111.111.111 ns1.mydomain.com. IN A 111.111.111.111 ns2.mydomain.com. IN A 111.111.111.111 localhost.mydomain.com. IN A 127.0.0.1 leeroy.mydomain.com. IN A 111.111.111.111 webmail.mydomain.com. IN A 111.111.111.111 admin.mydomain.com. IN A 111.111.111.111 mail.mydomain.com. IN A 111.111.111.111 mydomain.com. IN MX 5 mail.mydomain.com. mydomain.com. IN TXT “v=spf1 a mx a:mydomain.com mx:mydomain.com ip4:111.111.111.111 -all” mydomain.com. IN SPF “v=spf1 a mx a:mydomain.com mx:mydomain.com ip4:111.111.111.111 -all” _dmarc.mydomain.com. IN TXT “v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; rua=mailto:postmaster@mydomain.com; ruf=mailto:postmaster@mydomain.com; rf=afrf; pct=100; ri=86400” _adsp._domainkey.mydomain.com. IN TXT dkim=all mail._domainkey.mydomain.com. IN TXT ( "v=DKIM1; k=rsa; s=email; " “p=…really long code…” )

You cant just copy this and change with your details because there is a big chance something will not work but is enough good to give you an idea how should look. rDNS can be set from server control panel or by asking your provider to set it for you but you cant do this from Virtualmin/Webmin.

Beluga · November 3, 2015, 4:00pm

Got help from an acquaintance and now it works! The most important change: both of the nameservers are now OVH’s own (ns106.ovh.net & dns106.ovh.net).