Articles in this section

See more

SPF check on Plesk for Linux servers does not work on long DNS TXT records

Avatar
Taras Ermoshin
Updated
Follow
Plesk for Linux kb: bug ABT: Group A

Applicable to:

  • Plesk for Linux

Symptoms

  • On Plesk for Linux, SPF check fails if the SPF record in the DNS zone of the sender's domain is too long (more than 5000 symbols), the following error can be seen in the log file /var/log/maillog:

    plesk postfix/smtpd[23645]: connect from unknown[203.0.113.2]
    plesk postfix/smtpd[23645]: 35CF7140344: client=unknown[203.0.113.2]
    plesk postfix/cleanup[23649]: 35CF7140344: message-id=<93edc7a7c90d6e1c49a27f8fb49db9b4@example.com>
    plesk spf[23651]: Starting the spf filter...
    plesk spf[23651]: SPF result: fail
    plesk spf[23651]: SPF status: REJECT
    plesk psa-pc-remote[21019]: REJECT during call 'spf' handler
    plesk postfix/cleanup[23649]: 35CF7140344: milter-reject: END-OF-MESSAGE from unknown[203.0.113.2]: 5.7.23 SPF validation failed. : Reason: mechanism; from=<sender@example.com> to=<receiver@example.net> proto=ESMTP helo=<example.com>

    plesk spf[24253]: Starting the spf filter...
    plesk spf[24253]: Error code: (26) DNS lookup failure
    plesk spf[24253]: Failed to query MAIL-FROM: Temporary DNS failure for 'example.com'.
    plesk spf[24253]: SPF result: tempfail

Cause

Bug in the library libspf2 that is used by Plesk for performing SPF checks.
The bug PPPM-8103 was created to track the issue from the Plesk side.

Resolution

Use one of the solutions:

Solution 1

In the DNS zone of the sender domain, split the SPF record into shorter records (e.g. with the hostnames spf1.example.com, spf2.example.com, etc.), and include those shorter records to the main SPF record.

Solution 2

  1. Log into Plesk.

  2. Go to Tools & Settings > Mail Server Settings.

  3. Enable the option Enable SPF spam protection to check incoming mail and set the option SPF checking mode to Only create Received-SPF headers, never block.

  4. Enable both options under DKIM spam protection.

  5. Enable the option Enable DMARC to check incoming mail.

This way, DMARC will make decisions relying on SPF and DKIM status and the emails will not be dropped because of SPF problems but SPF status will still be included in the DMARC policy check.

Comments

1 comment

Sort by Date Votes
  • Avatar
    Mario Orellana

    Hello:

    How could I know if this incident has been solved to reactivate this antispam filter?

    Thank you

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles