Solve SPF issues

wikipedia.org:
https://en.wikipedia.org/wiki/Sender_Policy_Framework (SPF)
https://en.wikipedia.org/wiki/Sender_Rewriting_Scheme (SRS)

Check knowledge of SPF setup:
– above 10 lookups must show “permerror” (following RFC guidelines)
– more than one SPF record disrupts
– ‘a’, ‘mx’, ‘redirect’ and ‘include’, in the end authorize for IPs
(use of a domain name is not more secure; other shared host users are included also)
– setup of ‘a’ is interpreted as ‘+a’
– setup like a:example.com can allow for A/AAAA IPs from the mentioned domain
– sequence of setup: reads from left to right
– watch out for double spaces
– make a difference in a DNS record to point to: an undercore in _spf, is not allowed in a domain name
– the tilde in ‘~all’ allows unauthorized forwarding by a foreign server with ‘softfail’
Note: Exim’s default routing on a server uses SRS for a ‘redirect’ (forwarding).
See also my dual SRS and mail service routing on
https://webhostingtech.nl/monitoring-email/solve-exim-issues/
– a dynamic SPF facility can convert to many DNS lookups to plain IP addresses.

Analyze SPF:
– DNS lookups and void lookupshttps://mxtoolbox.com/spf.aspx
– MessageBird will be shutting down this SPF Inspector at the end of July 2021:
DNS lookups and syntax check of external SPF’s: https://tools.sparkpost.com/spf/inspector
– DNS lookup analysis: https://www.dmarcanalyzer.com/spf/checker/
– Less good (misses double ‘v=’, code after ‘all’): https://internet.nl
– Detailed analysis: https://www.mailhardener.com/tools/spf-validator

My number of DNS lookups with SPF:
– 0x: v=spf1 include:amazonses.com -all (generic SRS)
– 0x: v=spf1 include:_spf.cyberfusion.nl -all (no SRS; customers of Cyberfusion)
– 2x: v=spf1 include:outgoing.spamport.com -all (generic SRS; no lookup if using IP netblocks)
– 1x: v=spf1 include:relay.mailchannels.net -all (generic SRS)
– 0x: v=spf1 include:spf.sendinblue.com -all (both transactional and non-transactional mail)
– 4x: v=spf1 include:_spf.sparkpostmail.com -all (no SRS; ptr void lookups ensure pass)
– 2x: v=spf1 include:_spf.transip.email -all (no SRS; for VPS customers of TransIP)

Example for SPF:
– outbound via the server’s MTA (Mail Transfer Agent)
– outbound via Exim or Postfix configuration to a mail service
– outbound via SMTP (or via SDK via HTTP) to Amazon SES
– bounces on incoming of the server
– bounces on incoming of the fallback mail server
– use of a tilde in ‘~all’ to allow forwarding by a foreign server

dogshowentry.nl 3x (2+1): v=spf1 include:amazonses.com redirect=_spf.hostfusion.nl

amazonses.com 0x: v=spf1 ip4:199.255.192.0/22 ip4:199.127.232.0/22 ip4:54.240.0.0/18 ip4:69.169.224.0/20 ip4:23.249.208.0/20 ip4:23.251.224.0/19 ip4:76.223.176.0/20 ip4:54.240.64.0/19 ip4:54.240.96.0/19 ip4:52.82.172.0/22 -all

_spf.hostfusion.nl 1x: v=spf1 include:_spf.cyberfusion.nl ip4:93.119.10.229 ip6:2a01:7c8:bb09:262:5054:ff:fee2:a101 ip4:136.144.238.43 ip6:2a01:7c8:d008:32:5054:ff:fee8:665a -all

_spf.cyberfusion.nl 0x: v=spf1 ip6:2a0c:eb00:0:f7::/64 ip4:185.233.175.128/25 ip6:2a0c:eb00:0:f9::/64 ip4:185.233.173.134/28 ~all

Syntax of SPF: http://www.openspf.org/SPF_Record_Syntax
How DNS lookup counts (and about void lookups): https://tools.ietf.org/html/rfc7208#section-4.6.4