Solve SPF issues (SPF) (SRS)

Check knowledge of SPF setup:
– above 10 lookups must show “permerror” (following RFC guidelines)
– more than one SPF record disrupts
– ‘a’, ‘mx’, ‘redirect’ and ‘include’, in the end authorize for IPs
(use of a domain name is not more secure; other shared host users are included also)
– setup of ‘a’ is interpreted as ‘+a’
– setup like can allow for A/AAAA IPs from the mentioned domain
– sequence of setup: reads from left to right
– watch out for double spaces
– make a difference in a DNS record to point to: an undercore in _spf, is not allowed in a domain name
– the tilde in ‘~all’ allows unauthorized forwarding by a foreign server with ‘softfail’
Note: Exim’s default routing on a server uses SRS for a ‘redirect’ (forwarding).
See also my SRS routing versus mail service routing setup on
– a dynamic SPF facility can convert to many DNS lookups to plain IP addresses.

Analyze SPF:

My number of DNS lookups with SPF:
– 0x: v=spf1 -all (generic SRS)
– 0x: v=spf1 -all (no SRS; customers of Cyberfusion)
– 2x: v=spf1 -all (generic SRS; no lookup if using IP netblocks)
– 1x: v=spf1 -all (generic SRS)
– 0x: v=spf1 -all (both transactional and non-transactional mail)
– 4x: v=spf1 -all (no SRS; ptr void lookups ensure pass)
– 2x: v=spf1 -all (no SRS; for VPS customers of TransIP)

Example for SPF:
– outbound via the server’s MTA (Mail Transfer Agent)
– outbound via Exim or Postfix configuration to a mail service
– outbound via SMTP (or via SDK via HTTP) to Amazon SES
– bounces on incoming of the server
– use of a tilde in ‘~all’ to allow forwarding by a foreign server 2+3x: v=spf1 0x: v=spf1 ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: -all 2x: v=spf1 ip4: ip6:2a01:7c8:bb09:262:5054:ff:fee2:a101 ip4: ip6:2a01:7c8:d008:32:5054:ff:fee8:665a -all 0x: v=spf1 ip6:2a0c:eb00:0:f7::/64 ip4: ip6:2a0c:eb00:0:f9::/64 ip4: ~all 1x: 0x: [IP’s] -all

Syntax of SPF:
How DNS lookup counts (and about void lookups):