Applicable to:
- Plesk for Linux
Symptoms
-
On Plesk for Linux, SPF check fails if the SPF record in the DNS zone of the sender's domain is too long (more than 5000 symbols), the following error can be seen in the log file
/var/log/maillog
:plesk postfix/smtpd[23645]: connect from unknown[203.0.113.2]
plesk postfix/smtpd[23645]: 35CF7140344: client=unknown[203.0.113.2]
plesk postfix/cleanup[23649]: 35CF7140344: message-id=<93edc7a7c90d6e1c49a27f8fb49db9b4@example.com>
plesk spf[23651]: Starting the spf filter...
plesk spf[23651]: SPF result: fail
plesk spf[23651]: SPF status: REJECT
plesk psa-pc-remote[21019]: REJECT during call 'spf' handler
plesk postfix/cleanup[23649]: 35CF7140344: milter-reject: END-OF-MESSAGE from unknown[203.0.113.2]: 5.7.23 SPF validation failed. : Reason: mechanism; from=<sender@example.com> to=<receiver@example.net> proto=ESMTP helo=<example.com>
plesk spf[24253]: Starting the spf filter...
plesk spf[24253]: Error code: (26) DNS lookup failure
plesk spf[24253]: Failed to query MAIL-FROM: Temporary DNS failure for 'example.com'.
plesk spf[24253]: SPF result: tempfail
Cause
Bug in the library libspf2 that is used by Plesk for performing SPF checks.
The bug PPPM-8103 was created to track the issue from the Plesk side.
Resolution
Use one of the solutions:
In the DNS zone of the sender domain, split the SPF record into shorter records (e.g. with the hostnames spf1.example.com, spf2.example.com, etc.), and include those shorter records to the main SPF record.
-
Go to Tools & Settings > Mail Server Settings.
-
Enable the option Enable SPF spam protection to check incoming mail and set the option SPF checking mode to Only create Received-SPF headers, never block.
-
Enable both options under DKIM spam protection.
-
Enable the option Enable DMARC to check incoming mail.
This way, DMARC will make decisions relying on SPF and DKIM status and the emails will not be dropped because of SPF problems but SPF status will still be included in the DMARC policy check.
Comments
1 comment
Hello:
How could I know if this incident has been solved to reactivate this antispam filter?
Thank you
Please sign in to leave a comment.