How to bypass IP address from SPF check on a server with Plesk?

Follow

Comments

7 comments

  • Avatar
    Tony

    thanks! had to do this so one of my plesk servers could send mail to the first on an internal ip where the sender's SPF only included the public IPs. 

    1
    Comment actions Permalink
  • Avatar
    Marek Adamski

    I am looking for a working option to add one of the domains to the whitelist but when I used the "include: domainname.tld" entry it turned out that some services stopped working, including Gmail, Yahoo. All emails from these domains said "No SPF record"
    I am still looking for a solution how to efficiently and without problems add a domain to the whitelist.

    0
    Comment actions Permalink
  • Avatar
    Yaroslav Tarasov

    Hello @Marek Adamski,

    When the record "include: domainname.tld" is added into the SPF local rules field in Tools & Settings > Mail Server Settings, it means that the emails from domainname.tld will not be checked by the Mail Server of your Plesk server (Postfix) for SPF. So if there is no SPF record for that domain the email will be received anyways. The rest of the emails will be checked against the SPF policy. So the behavior you are talking about seems to be caused by some other issue.

    0
    Comment actions Permalink
  • Avatar
    Marek Adamski (Edited )

    Hello @...,

    It may seem, but the fact is that when I deleted this entry, everything returned to normal and works properly. Another record I have defined is SPF guessing.
    In this particular case, the domain has no SPF record and the mail server is not in MX, so I added it in the local SPF rules field. Since Friday this record was added gmail and yahoo stopped working but my private server was delivering messages without any problem. Right after deleting this record, everything is back to normal but I can't whitelist this one host.

    OS Debian 10.11
    Produkt Plesk Obsidian
    Version 18.0.41

    Feb 13 01:24:32 mail amavis[11807]: (11807-07) Passed CLEAN {AcceptedInbound}, AM.PDP-SOCK [2607:f8b0:4864:20::e35] [2607:f8b0:4864:20::e35] <@gmail.com> -> <delete>, Queue-ID: CF674560607, Message-ID: <CAMBGuSGqU4wzYS-5UgnaeL4akdWT3FQJKHXdfdGJ87rtFkXcuQ@mail.gmail.com>, mail_id: ZaH8xnLuxRch, Hits: -1.995, size: 39781, 1382 ms
    Feb 13 01:24:32 mail amavis[11808]: (11808-06) Passed CLEAN {AcceptedInbound}, AM.PDP-SOCK [2607:f8b0:4864:20::e2b] [2607:f8b0:4864:20::e2b] <@gmail.com> -> <delete>, Queue-ID: CE1B45605CA, Message-ID: <CAMBGuSGqU4wzYS-5UgnaeL4akdWT3FQJKHXdfdGJ87rtFkXcuQ@mail.gmail.com>, mail_id: EUCJ51_khPlM, Hits: -1.944, size: 39780, 1389 ms
    Feb 13 01:24:32 mail spf[29821]: CE1B45605CA: Error code: (2) Could not find a valid SPF record
    Feb 13 01:24:32 mail spf[29820]: CF674560607: Error code: (2) Could not find a valid SPF record
    Feb 13 01:24:32 mail psa-pc-remote[21356]: CE1B45605CA: spf: stderr: DATA REPLY:550:5.7.23 SPF validation failed. No SPF or host not allowed. Please contact your mail service provider. : Reason: mechanism
    Feb 13 01:24:32 mail psa-pc-remote[21356]: CE1B45605CA: spf: stderr: REJECT
    Feb 13 01:24:32 mail psa-pc-remote[21356]: CF674560607: spf: stderr: DATA REPLY:550:5.7.23 SPF validation failed. No SPF or host not allowed. Please contact your mail service provider. : Reason: mechanism
    Feb 13 01:24:32 mail psa-pc-remote[21356]: CF674560607: spf: stderr: REJECT
    Feb 13 01:24:32 mail postfix/cleanup[29803]: CE1B45605CA: milter-reject: END-OF-MESSAGE from mail-vs1-xe2b.google.com[2607:f8b0:4864:20::e2b]: 5.7.23 SPF validation failed. No SPF or host not allowed. Please contact your mail service provider. : Reason: mechanism; from=<delete@gmail.com> to=<delete@> proto=ESMTP helo=<mail-vs1-xe2b.google.com>
    Feb 13 01:24:32 mail postfix/cleanup[29807]: CF674560607: milter-reject: END-OF-MESSAGE from mail-vs1-xe35.google.com[2607:f8b0:4864:20::e35]: 5.7.23 SPF validation failed. No SPF or host not allowed. Please contact your mail service provider. : Reason: mechanism; from=<delete@gmail.com> to=<delete@> proto=ESMTP helo=<mail-vs1-xe35.google.com>
    Feb 13 01:24:32 mail postfix/smtpd[29799]: disconnect from mail-vs1-xe35.google.com[2607:f8b0:4864:20::e35] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=0/1 quit=1 commands=6/7
    Feb 13 01:24:32 mail postfix/smtpd[29797]: disconnect from mail-vs1-xe2b.google.com[2607:f8b0:4864:20::e2b] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=0/1 quit=1 commands=6/7

    0
    Comment actions Permalink
  • Avatar
    Yaroslav Tarasov

    Hello,

    This can be due to the incorrect syntax in the rules. I would suggest adding the required IPs/domains one by one and checking the delivery.

    0
    Comment actions Permalink
  • Avatar
    Marek Adamski (Edited )

    It just so happens that I only had one rule added with this syntax:
    include:HostNotInMX.somedomain.xx
    Several times I also checked if the word "Include" is write correctly.
    It turned out that most of the servers came, only not from the specific ones given above, so I got tired of looking for the reason. But as the memory does not disappoint me yet, I quickly associated that the problem arose on the day of adding "include".
    Messages sent from a private server and domain where there is a short SPF limited to mx -all showed no problems, but the problem turns out to be google SPF records where they are redirected to another address that contains the entire list of entries.

    Therefore:
    * I didn't make a mistake when adding the record.
    * I only added one host.
    * Mail was still arriving from some servers.
    * Not coming from Gmail or Yahoo specifically

    I can look for bugs and problems on my own in free administration panels, not in those for which you have to pay even for such a prosaic add-on as DNSSEC.

     
     

     

     

    0
    Comment actions Permalink
  • Avatar
    Yaroslav Tarasov

    Hello @Marek Adamski,

    Without having the full overview of your case it's difficult to associate it with the article. That's why the best option would be to submit a request to the technical support so we could find the root cause of this behavior and, possibly, improve the current article.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request