08-23-2022 02:30 AM
I have found that certain companies that send email to us get blocked in our ESA by SPF SoftFail.
And I dug into their SPF record with the help of some sites and they all say that SPF pass while the Cisco says SoftFail so I was a bit lost why.
But after a little more digging I found the "problem"; the order of the includes. They have 3 includes and the last include includes the subnet of the sending mailserver so that would pass. But, the include above that has a ~all and the cisco says softfail because of that.
So my questions is; does SPF define that a first hit is leading and that further hits should be ignored ? Or in other words, is Cisco correct here and all the websites wrong or visa versa ?
Solved! Go to Solution.
08-23-2022 04:52 AM
RfC 7208 is really clear. First hit matches.
SPF-records are public. Maybe you should post the corresponding SPF record an your sending IP address here?
It would be more easier to help you.
Greez
08-23-2022 04:52 AM
RfC 7208 is really clear. First hit matches.
SPF-records are public. Maybe you should post the corresponding SPF record an your sending IP address here?
It would be more easier to help you.
Greez
08-23-2022 07:24 AM - edited 08-23-2022 08:01 AM
Thank you @Steflstefan that was the info I was looking for
This is a madeup example (eventhough info is public I don't feel comfortable sharing someone's misconfigs potentially):
Sending mailhost is 1.2.3.4, domain is mydomain.net
spf record is v=spf1 a:notymyserver.net a:alsonomyserver.net include:spf.anotherparty.com include:spf.yesmail.com -all
notmyserver.net resolves to 2.2.2.2
alsonotmyserver.net resolves to 3.3.3.3
spf.anotherparty.com contains this : v=spf1 ipv4:4.4.4.4 ~all
spf.yesmail.com contains this : v=spf1 ipv4:1.2.3.4 -all
Cisco reports this as softfail, which is correct if a match causes processing to stop.
But all websites that allow you check spf records against ip adrress (like mxtoolbox) will say pass.
And I have just been checking some more parties and they all have includes with ~all and -all's in the includes.
(probably I am missing something abvious)
08-23-2022 07:35 AM
Hmm, looking further into the include mechanism of the RFC I perhaps am thinking that Cisco is wrong (sorry for going back and forth).
This I have from the RFC :
+---------------------------------+---------------------------------+ | A recursive check_host() result | Causes the "include" mechanism | | of: | to: | +---------------------------------+---------------------------------+ | pass | match | | | | | fail | not match | | | | | softfail | not match | | | | | neutral | not match | | | | | temperror | return temperror | | | | | permerror | return permerror | | | | | none | return permerror | +---------------------------------+---------------------------------+
So if an include contains -all or ~all always results in "not match" being given back to the the main spf process (that perhaps isn't the correct wording but I am sure you all understand
08-23-2022 07:55 AM
Ok.
But this from your explanation looks quite wrong:
spf.anotherparty.com contains this : v=spf1 a:4.4.4.4 ~all
spf.yesmail.com contains this : v=spf1 a:1.2.3.4 -all
If you use an ip address, you should use ip4: not a:.
Try vamsoft SPF checker https://vamsoft.com/support/tools/spf-policy-tester
08-23-2022 08:00 AM
Sorry my bad, but this is not about the syntax, its about the theorie of how the includes are interpreted (that was just a quick example).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide