I’m having trouble getting my SPF and DKIM records to be discovered, but I’ll let this be about SPF to keep things simple.
My server is a Kimsufi, from OVH Hosting. BIND was set up by Virtualmin and later I only added a PTR record (works fine) and SPF + DKIM.
So far, http://dkimvalidator.com/ provided the best clue (I anonymized my domain infos):
Helo Address = ns000000.ip-000-000-000.eu
From Address = admin@mydomain.com
From IP = 000.000.000.000
SPF Record Lookup
Looking up TXT SPF record for mydomain.com
Found the following namesevers for mydomain.com: ns000000.ip-000-000-000.eu ns.kimsufi.com
Retrieved this SPF Record: zone updated 20151027 (TTL = 21599)
using authoritative server (ns000000.ip-000-000-000.eu) directly for SPF Check
Result: none (No applicable sender policy available)
Result code: none
Local Explanation: mydomain.com: No applicable sender policy available
spf_header = Received-SPF: none (mydomain.com: No applicable sender policy available) receiver=dkimvalidator.com; identity=mailfrom; envelope-from="admin@mydomain.com"; helo=ns000000.ip-000-000-000.eu; client-ip=000.000.000.000
This is making me think the SPF record is fetched from somewhere else than my nameserver: Retrieved this SPF Record: zone updated 20151027
OVH support confirmed that ns.kimsufi.com is a slave replicating its information from my primary name server. They said I should ignore what stuff is in the OVH control panel (even though I had copied the same records there to make sure). My domain is not registered through OVH.
My SPF record is defined in /etc/bind/zones/db.mydomain.com as:
mydomain.com. IN TXT “v=spf1 a mx a:mydomain.com mx:mydomain.com ip4:000.000.000.000 ip6:0000:0000:0:0000::1 include:mydomain.com ?all”
This validator says the syntax is fine: http://vamsoft.com/support/tools/spf-syntax-validator
Why does the dkimvalidator say my SPF Record is “zone updated 20151027?”
How can I debug this mess?
I’ve tried for almost 2 weeks and by now my syntax and settings for both SPF and DKIM should be perfect, but it seems they are not even being transmitted!
I’ve set $TTL 300 temporarily so I should now be able to test changes faster.
http://www.intodns.com/ gives me good results. The only error besides SPF & DKIM is:
ERROR: One or more of your nameservers did not respond:
The ones that did not respond are:
000.000.000.000
That is the IP of the server, but I don’t have an NS defined with purely the IP…
The DNSreport here does not give such an error: http://www.dnsstuff.com/tools