SPF local rules are ignored: SPF validation failed. : Reason: mechanism

Symptoms

• Email sent from external domain fails SPF validation with the following error in /var/log/maillog:

  postfix/cleanup[3816]: 1C923F1570: milter-reject: END-OF-MESSAGE from srv.domain.com[203.0.113.2]: 5.7.23 SPF validation failed. : Reason: mechanism; from=johndoe1@example.net to=johndoe@example.com proto=ESMTP helo=<srv.domain.com>

• External anti-spam server is being used
• SPF Local Rule is configured in Tools & Settings > Mail Server Settings (under SPF Spam Protection) to allow IPs of anti-spam's servers

• Sender's SPF record includes a redirect modifier:

  # dig @8.8.8.8 example1.net TXT +short |grep spf
  "v=spf1 redirect=example1.net.srv.spf-test.com"

Cause

Plesk’s SPF handler no longer applies local SPF rules when the sender domain uses redirect= in its top-level SPF record. In previous versions (such as 18.0.70), local rules were still evaluated after resolving redirect= targets.

This leads to failures in SPF evaluation for trusted relay IPs added via local rules when the upstream record chain ends with -all at the redirect target.

This has been reported as bug ID PPPM-15056.

Resolution

A permanent solution will be released in Plesk update 18.0.71.2 during end of July, begining of August.

As a temporary workaround, Exclude domains from DMARC check. This will generate SPF failure headers but emails will arrive.

If maintaining a large DMARC exclusion list is to be avoided, SPF can be disabled as follows:

1. Log into Plesk
2. Go to Tools & Settings > Mail Server Settings
3. Uncheck Enable DMARC to check incoming mail and Enable SPF spam protection to check incoming mail.
4. Click OK.