Solve SPF issues

wikipedia.org:
https://en.wikipedia.org/wiki/Sender_Policy_Framework (SPF)
https://en.wikipedia.org/wiki/Sender_Rewriting_Scheme (SRS)

Check knowledge of SPF setup:
– above 10 lookups must show “permerror” (following RFC guidelines)
– more than one SPF record disrupts
– ‘a’, ‘mx’, ‘redirect’ and ‘include’, in the end authorize for IPs
(use of a domain name is not more secure; other shared host users are included)
– ‘exists’ executes a DNS A record search for the domain provided
– setup of ‘a’ is interpreted as ‘+a’
– setup like a:example.com can allow for A/AAAA IPs from the mentioned domain
– sequence of setup: reads from left to right
– watch out for double spaces
– make a difference in a DNS record to point to: an undercore in _spf, is not allowed in a domain name
– the tilde in ‘~all’ with ‘softfail’ may unblock for a foreign mail service
Read https://www.mailhardener.com/blog/why-mailhardener-recommends-spf-softfail-over-fail
Note: Exim’s default routing on a server uses SRS for a ‘redirect’ (forwarding).
See also my SRS routing versus mail service routing setup on
https://webhostingtech.nl/monitoring-email/solve-exim-issues/
– a dynamic SPF provision can resolve too many DNS lookups to plain IP addresses.

Analyze SPF:
– https://www.mailhardener.com/tools/spf-validator

My number of DNS lookups with SPF:
– 0x: v=spf1 include:amazonses.com (-all; generic SRS)
– 2x: v=spf1 include:outgoing.spamport.com (-all; generic SRS)
– 1x: v=spf1 include:relay.mailchannels.net (~all; generic SRS)
– 0x: v=spf1 include:spf.sendinblue.com (-all; both transactional and non-transactional mail)
– 4x: v=spf1 include:_spf.sparkpostmail.com (~all; no SRS; ptr void lookups ensure pass)
– 2x: v=spf1 include:_spf.transip.email (~all; no SRS; for VPS customers of TransIP)

Example for SPF:
– outbound via the server’s MTA (Mail Transfer Agent)
– outbound via Exim or Postfix configuration to a mail service
– outbound via SMTP (or via SDK via HTTP) to Amazon SES
– bounces on incoming of the server
– use of a tilde in ‘~all’ may unblock for a foreign mail service

dogshowentry.nl: v=spf1 include:amazonses.com redirect=_spf.hostfusion.nl

amazonses.com: v=spf1 ip4:199.255.192.0/22 ip4:199.127.232.0/22 ip4:54.240.0.0/18 ip4:69.169.224.0/20 ip4:23.249.208.0/20 ip4:23.251.224.0/19 ip4:76.223.176.0/20 ip4:54.240.64.0/19 ip4:54.240.96.0/19 ip4:76.223.128.0/19 ip4:216.221.160.0/19 ip4:206.55.144.0/20 -all

_spf.hostfusion.nl: v=spf1 include:_spf.transip.email ip4:93.119.10.229 ip6:2a01:7c8:bb09:262:5054:ff:fee2:a101 ip4:136.144.238.43 ip6:2a01:7c8:d008:32:5054:ff:fee8:665a ip4:85.10.131.117 ip6:2a01:7c8:bb0a:44e:5054:ff:fe0e:819f ~all

_spf.transip.email: +include:_mailcluster.transip.email

_mailcluster.transip.email: [IP’s] ~all

Syntax of SPF: http://www.openspf.org/SPF_Record_Syntax
How DNS lookup counts (and about void lookups): https://tools.ietf.org/html/rfc7208#section-4.6.4