I have a dedicated server with a survey system running on a subdomain. The parent domain is hosted on another server. I send email via google apps.
Reverse DNS is correct.
Without SPF og DKIM, the very smart '[email protected]' returns a spamassasin score of ca. 0.
But with a passing SPF record and this summary
SPF check: pass
DomainKeys check: neutral
DKIM check: neutral
Sender-ID check: pass
SpamAssassin check: ham
I get a quite high spamassasin score of ca. 3 - due to the header being very big:
pts rule name description
---- ---------------------- --------------------------------------------------
3.1 SINGLE_HEADER_2K A single header contains 2K-3K characters
-0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low
trust
So my question is: It seems from this that I should delete the spf record? since a large header is deemed worse then a valid spf?
Or is it my spf which is wrong?
v=spf1 a mx ptr ip4:xxx.xx.xxx.xx mx include:_spf.google.com ip4:yy.yy.yy.yyy ~all
xxx IP is for the server with the tld yyy IP is the server where the subdomain is hosted.
Below a part of the header:
----------------------------------------------------------
SPF check details:
----------------------------------------------------------
Result: pass
ID(s) verified: [email protected]
DNS record(s):
mydomain.dk. SPF (no records)
mydomain.dk. 400 IN TXT "v=spf1 a mx ptr ip4:xxx.xx.xxx.xx mx include:_spf.google.com ip4:yy.yy.yy.yyy ~all"
mydomain.dk. 360 IN A xxx.xx.xxx.xx
mydomain.dk. 41895 IN MX 10 aspmx.l.google.com.
mydomain.dk. 41895 IN MX 20 alt2.aspmx.l.google.com.
mydomain.dk. 41895 IN MX 20 alt1.aspmx.l.google.com.
mydomain.dk. 41895 IN MX 30 aspmx2.googlemail.com.
mydomain.dk. 41895 IN MX 30 aspmx3.googlemail.com.
mydomain.dk. 41895 IN MX 30 aspmx4.googlemail.com.
mydomain.dk. 41895 IN MX 30 aspmx5.googlemail.com.
aspmx.l.google.com. 217 IN A 74.125.115.27
alt2.aspmx.l.google.com. 204 IN A 209.85.229.27
alt1.aspmx.l.google.com. 248 IN A 209.85.229.26
aspmx2.googlemail.com. 1036 IN A 74.125.43.27
aspmx3.googlemail.com. 1658 IN A 74.125.127.27
aspmx4.googlemail.com. 863 IN A 209.85.229.27
aspmx5.googlemail.com. 921 IN A 74.125.157.27
174.160.85.209.in-addr.arpa. 86400 IN PTR mail-gy0-f174.google.com.
mail-gy0-f174.google.com. 86400 IN A 209.85.160.174
mydomain.dk. 41895 IN MX 10 aspmx.l.google.com.
mydomain.dk. 41895 IN MX 20 alt2.aspmx.l.google.com.
mydomain.dk. 41895 IN MX 20 alt1.aspmx.l.google.com.
mydomain.dk. 41895 IN MX 30 aspmx2.googlemail.com.
mydomain.dk. 41895 IN MX 30 aspmx4.googlemail.com.
mydomain.dk. 41895 IN MX 30 aspmx5.googlemail.com.
mydomain.dk. 41895 IN MX 30 aspmx3.googlemail.com.
aspmx.l.google.com. 217 IN A 74.125.115.27
alt2.aspmx.l.google.com. 204 IN A 209.85.229.27
alt1.aspmx.l.google.com. 248 IN A 209.85.229.26
aspmx2.googlemail.com. 1036 IN A 74.125.43.27
aspmx4.googlemail.com. 863 IN A 209.85.229.27
aspmx5.googlemail.com. 921 IN A 74.125.157.27
aspmx3.googlemail.com. 1658 IN A 74.125.127.27
_spf.google.com. SPF (no records)
_spf.google.com. 206 IN TXT "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ?all"
Again I have crossed out my own IP's and the rest i guess is googles?
What should I do now? Should I delete the spf record, or can I change it somehow to get a smalle header, that still works?
SPF shouldn't be causing a header to be added. Something else should be doing this. Look at your headers for some segment where there are lots of lines in a row which are indented (continuation lines). This will be your problem header.
As you are using
~all
, your SPF record won't be that effective. You are better off coming up with a policy which wil enable you to end your spf record with '-all'. See my comments on Securing your Email Reputation with SPF.You do not need the full verbose list of all mail exchangers - You probably have a higher-than-necessary level of debugging set somewhere that is causing some part of your mail chain to include this.
Determine which part of your mail chain is adding this header.
Then make it stop. :-)
Not sure if your question has already been answered elsewhere (it's been a couple months since you've posted this), but I was experiencing the same issue on my Google Apps account. I found that the DKIM signature header was the culprit, and if I had Google stop signing my mail, I got a lower overall SpamAssassin score (even though the DKIM signature was valid, the value of having a valid DKIM signature was outweighed by the penalty for having such a long header in my message).
Thought you might want to check into that. For reference, the DKIM settings for Google Apps are located in the Google Apps Control Panel under Advanced Tools / Authenticate Email / Set up email authentication (DKIM)