Solve SPF issues (SPF) (SRS)

Check knowledge of SPF setup:
– above 10 lookups must show “permerror” (following RFC guidelines)
– more than one SPF record disrupts
– ‘a’, ‘mx’, ‘redirect’ and ‘include’, in the end authorize for IPs
– (use of a domain name is not more secure; other shared host users are included also)
– setup of ‘a’ is interpreted as ‘+a’
– setup like can allow for A/AAAA IPs from the mentioned domain
– sequence of setup: reads from left to right
– watch out for double spaces
– make a difference to a domain name in a DNS record: an undercore in _spf, is not allowed in a domain name
– use the tilde in ‘~all’ to allow unauthorized forwarding by a foreign server
– a dynamic SPF facility can convert to many DNS lookups to plain IP addresses.

Analyze SPF:
– DNS lookups and void lookups
– DNS lookups and syntax check of external SPF’s:
(MessageBird will be shutting down the SPF Inspector at the end of July 2021)
– Less good (misses double ‘v=’, code after ‘all’ and count of a / mx lookups):

My number of DNS lookups with SPF:
– 0x: v=spf1 -all (generic SRS)
– 0x: v=spf1 -all (generic SRS; customers of Cyberfusion)
– 2x: v=spf1 -all (generic SRS; no lookup if using IP netblocks)
– 1x: v=spf1 -all (generic SRS)
– 0x: v=spf1 -all (both transactional and non-transactional mail)
– 4x: v=spf1 -all (no SRS; ptr void lookups ensure pass)
– 2x: v=spf1 -all (no SRS; for VPS customers of TransIP)

Example of SPF:
– outbound via MTA via Exim or Postfix configuration to Cyberfusion mail service
– outbound via SMTP (or via SDK via HTTP) to Amazon SES
– bounces on incoming of the server
– bounces on incoming of the fallback mail server
– use of a tilde in ‘~all’ to allow forwarding by a foreign server
– 3x: v=spf1 ~all

Explanation of failures:
Syntax of SPF:
How DNS lookup counts (and about void lookups):