I am trying to create an SPF record for my domain and enable my mail server to evaluate it. I am using Postfix on the mail server and policyd-spf (Python) to evaluate the records. Currently, I have an SPF record published for my domain over my private DNS server, and you can see the record on the server with a nslookup command.
The problem I'm currently having is that regardless of the SPF record that I publish, policyd-spf is returning "None (no SPF record)" in the email header. I am looking for either a pass or fail so that I can fix the record accordingly, but it doesn't seem to be evaluating it at all at this point. Any help will be much appreciated!
I've tried to publish several different records (at different times) for both web1 and mail.example.com in several different formats already (shown below), but I think it's a configuration issue. The IP address "XXX.XX.XX.XXX" points to the "web1" host, and the address "YYY.YY.YY.YY" points to the "mail.example.com" host, which is the mail server.
mail.example.com. IN TXT "v=spf1 include:mail.example.com -all"
mail.example.com. IN TXT "v=spf2.0/pra include:mail.example.com -all"
mail.example.com. IN TXT "v=spf1 a ip4:XXX.XX.XX.XXX -all"
mail.example.com. IN TXT "v=spf2.0/pra a ip4:XXX.XX.XX.XXX -all"
example.com. IN TXT "v=spf1 -all"
mail.example.com. IN TXT "v=spf1 a include:web1 -all"
mail.example.com. IN TXT "v=spf1 a ip4:YYY.YY.YY.YY -all"
Here is the log output when I try to send an email:
Apr 5 09:17:33 mail postfix/smtpd[9114]: connect from web1[XXX.XX.XX.XXX]Apr 5 09:17:33 mail policyd-spf[9119]: StartingApr 5 09:17:33 mail policyd-spf[9119]: Read line: "request=smtpd_access_policy"Apr 5 09:17:33 mail policyd-spf[9119]: Read line: "protocol_state=RCPT"Apr 5 09:17:33 mail policyd-spf[9119]: Read line: "protocol_name=ESMTP"Apr 5 09:17:33 mail policyd-spf[9119]: Read line: "client_address=XXX.XX.XX.XXX"Apr 5 09:17:33 mail policyd-spf[9119]: Read line: "client_name=web1"Apr 5 09:17:33 mail policyd-spf[9119]: Read line: "reverse_client_name=web1"Apr 5 09:17:33 mail policyd-spf[9119]: Read line: "helo_name=web1"Apr 5 09:17:33 mail policyd-spf[9119]: Read line: "sender=noreply@mail.example.com"Apr 5 09:17:33 mail policyd-spf[9119]: Read line: "recipient=bowser@mail.example.com"Apr 5 09:17:33 mail policyd-spf[9119]: Read line: "recipient_count=0"Apr 5 09:17:33 mail policyd-spf[9119]: Read line: "queue_id="Apr 5 09:17:33 mail policyd-spf[9119]: Read line: "instance=239a.5ca7556d.9e4db.0"Apr 5 09:17:33 mail policyd-spf[9119]: Read line: "size=0"Apr 5 09:17:33 mail policyd-spf[9119]: Read line: "etrn_domain="Apr 5 09:17:33 mail policyd-spf[9119]: Read line: "stress="Apr 5 09:17:33 mail policyd-spf[9119]: Read line: "sasl_method="Apr 5 09:17:33 mail policyd-spf[9119]: Read line: "sasl_username="Apr 5 09:17:33 mail policyd-spf[9119]: Read line: "sasl_sender="Apr 5 09:17:33 mail policyd-spf[9119]: Read line: "ccert_subject="Apr 5 09:17:33 mail policyd-spf[9119]: Read line: "ccert_issuer="Apr 5 09:17:33 mail policyd-spf[9119]: Read line: "ccert_fingerprint="Apr 5 09:17:33 mail policyd-spf[9119]: Read line: "encryption_protocol="Apr 5 09:17:33 mail policyd-spf[9119]: Read line: "encryption_cipher="Apr 5 09:17:33 mail policyd-spf[9119]: Read line: "encryption_keysize=0"Apr 5 09:17:33 mail policyd-spf[9119]: Read line: ""Apr 5 09:17:33 mail policyd-spf[9119]: Found the end of entryApr 5 09:17:33 mail policyd-spf[9119]: Config: {'Mail_From_reject': 'Fail', 'Void_Limit': 2, 'Lookup_Time': 20, 'HELO_reject': 'Fail', 'Header_Type': 'SPF', 'defaultSeedOnly': 1, 'PermError_reject': 'False', 'debugLevel': 4, 'skip_addresses': '127.0.0.0/8,::ffff:127.0.0.0/104,::1', 'TempError_Defer': 'False'}Apr 5 09:17:33 mail policyd-spf[9119]: Cached data for this instance: []Apr 5 09:17:43 mail policyd-spf[9119]: spfcheck: pyspf result: "['None', '', 'helo']"Apr 5 09:17:43 mail policyd-spf[9119]: None; identity=helo; client-ip=XXX.XX.XX.XXX; helo=web1; envelope-from=noreply@mail.example.com; receiver=bowser@mail.example.comApr 5 09:17:43 mail policyd-spf[9119]: Header type: SPF; Authres ID (for AR): NoneApr 5 09:17:43 mail policyd-spf[9119]: spfcheck: pyspf result: "['None', '', 'mailfrom']"Apr 5 09:17:43 mail policyd-spf[9119]: None; identity=mailfrom; client-ip=XXX.XX.XX.XXX; helo=web1; envelope-from=noreply@mail.example.com; receiver=bowser@mail.example.comApr 5 09:17:43 mail policyd-spf[9119]: Header type: SPF; Authres ID (for AR): NoneApr 5 09:17:43 mail policyd-spf[9119]: Action: prepend: Text: Received-SPF: None (no SPF record) identity=mailfrom; client-ip=XXX.XX.XX.XXX; helo=web1; envelope-from=noreply@mail.example.com; receiver=bowser@mail.example.comApr 5 09:17:43 mail postfix/smtpd[9114]: CBCB723ADE: client=web1[XXX.XX.XX.XXX]Apr 5 09:17:43 mail postfix/cleanup[9133]: CBCB723ADE: message-id=<310009219.518.1554470379582@web1>Apr 5 09:17:43 mail postfix/qmgr[9111]: CBCB723ADE: from=<noreply@mail.example.com>, size=3718, nrcpt=1 (queue active)Apr 5 09:17:43 mail postfix/smtpd[9114]: disconnect from web1[XXX.XX.XX.XXX]Apr 5 09:17:43 mail postfix/local[9134]: CBCB723ADE: to=<bowser@mail.example.com>, relay=local, delay=10, delays=10/0.01/0/0.02, dsn=2.0.0, status=sent (delivered to maildir)Apr 5 09:17:43 mail postfix/qmgr[9111]: CBCB723ADE: removedHere is my postconf -n output:
alias_database = hash:/etc/aliasesalias_maps = hash:/etc/aliasescommand_directory = /usr/sbinconfig_directory = /etc/postfixdaemon_directory = /usr/libexec/postfixdata_directory = /var/lib/postfixdebug_peer_level = 2home_mailbox = Maildir/html_directory = noinet_interfaces = allinet_protocols = allmail_owner = postfixmailq_path = /usr/bin/mailq.postfixmanpage_directory = /usr/share/manmydestination = $mydomain, $myhostname, localhost.$mydomain, localhostmydomain = example.commyhostname = mail.example.commynetworks = YYY.YY.YY.YY, 127.0.0.0/8 [::1]/128mynetworks_style = subnetmyorigin = $myhostnamenewaliases_path = /usr/bin/newaliases.postfixqueue_directory = /var/spool/postfixreadme_directory = /usr/share/doc/postfix-2.6.6/README_FILESsample_directory = /usr/share/doc/postfix-2.6.6/samplessendmail_path = /usr/sbin/sendmail.postfixsetgid_group = postdropsmtpd_client_restrictions = check_client_access hash:/etc/postfix/accesssmtpd_recipient_restrictions = check_policy_service unix:private/policyd-spf, permit_sasl_authenticated, reject_unauth_destination, warn_if_rejectunknown_local_recipient_reject_code = 550And here is my policyd-spf.conf file:
# For a fully commented sample config file see policyd-spf.conf.commenteddebugLevel = 4defaultSeedOnly = 1HELO_reject = FailMail_From_reject = FailPermError_reject = FalseTempError_Defer = Falseskip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1