Articles in this section

See more

SPF check on Plesk for Linux servers does not work on long DNS TXT records

Avatar
Taras Ermoshin
Updated
Follow
Plesk for Linux kb: fixed kb: bug ABT: Group A

Applicable to:

  • Plesk for Linux

Symptoms

  • On Plesk for Linux, SPF check fails if the SPF record in the DNS zone of the sender's domain is too long (more than 5000 symbols), the following error can be seen in the log file /var/log/maillog:

    plesk postfix/smtpd[23645]: connect from unknown[203.0.113.2]
    plesk postfix/smtpd[23645]: 35CF7140344: client=unknown[203.0.113.2]
    plesk postfix/cleanup[23649]: 35CF7140344: message-id=<93edc7a7c90d6e1c49a27f8fb49db9b4@example.com>
    plesk spf[23651]: Starting the spf filter...
    plesk spf[23651]: SPF result: fail
    plesk spf[23651]: SPF status: REJECT
    plesk psa-pc-remote[21019]: REJECT during call 'spf' handler
    plesk postfix/cleanup[23649]: 35CF7140344: milter-reject: END-OF-MESSAGE from unknown[203.0.113.2]: 5.7.23 SPF validation failed. : Reason: mechanism; from=<sender@example.com> to=<receiver@example.net> proto=ESMTP helo=<example.com>

    plesk spf[24253]: Starting the spf filter...
    plesk spf[24253]: Error code: (26) DNS lookup failure
    plesk spf[24253]: Failed to query MAIL-FROM: Temporary DNS failure for 'example.com'.
    plesk spf[24253]: SPF result: tempfail

Cause

Product issue:

  • #PPPM-8103 "Plesk can now check incoming mail by processing SPF TXT records that contain up to 1024 mechanisms."
    Fixed in:

Resolution

Please consider updating your server:

Workaround

Use one of the solutions:

Solution 1

In the DNS zone of the sender domain, split the SPF record into shorter records (e.g. with the hostnames spf1.example.com, spf2.example.com, etc.), and include those shorter records to the main SPF record.

Solution 2

  1. Log into Plesk.

  2. Go to Tools & Settings > Mail Server Settings.

  3. Enable the option Enable SPF spam protection to check incoming mail and set the option SPF checking mode to Only create Received-SPF headers, never block.

  4. Enable both options under DKIM spam protection.

  5. Enable the option Enable DMARC to check incoming mail.

This way, DMARC will make decisions relying on SPF and DKIM status and the emails will not be dropped because of SPF problems but SPF status will still be included in the DMARC policy check.

Comments

2 comments

Sort by Date Votes
  • Avatar
    Mario Orellana

    Hello:

    How could I know if this incident has been solved to reactivate this antispam filter?

    Thank you

    0
    Comment actions Permalink
  • Avatar
    Bulat Tsydenov

    Hi,

    You can follow this article. When the bug is fixed, the article will be updated accordingly.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles