I have somedomain.com on IP 1.1.1.1
I send/receive mail using Outlook connecting to mail.somedomain.com
So my DNS records for somedomain.com are the typical:
www.somedomain.com >>> A >>> 1.1.1.1
somedomain.com >>> A >>> 1.1.1.1
somedomain.com >>> MX >>> mail.somedomain.com
mail.somedomain.com >>> A >>> 1.1.1.1
But I also send some mails (using directly PHP mail function) from another server that is on anotherdomain.com and IP 2.2.2.2
I tried to setup SPF record using Microsoft wizard (the old days Open SPF wizard does NOT work anymore)
The SPF created by the wizard is this:
v=spf1 a mx ip4:1.1.1.1 mx:mail.somedomain.com ip4:2.2.2.2 -all
But I get some mails returning back when sent from 2.2.2.2 with the message: SPF Failed - not authorized message
Do you know what the right SPF value is for this scenario?
EDIT 1: as asked by Minsuk Song I post the SPF failed message
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
[email protected]
SMTP error from remote mail server after MAIL FROM:<[email protected]> SIZE=120379:
host imp-3.mail.tiscali.it [213.205.33.247]: 550 5.1.0 <[email protected]> SPF Failed - not authorized
------ This is a copy of the message, including all the headers. ------
------ The body of the message is 116808 characters long; only the first
------ 106496 or so are included here.
Return-path: <[email protected]>
Received: from mild by server081.mildfred.com with local (Exim 4.77)
(envelope-from <[email protected]>)
id 1SRRp1-001a8D-8Z; Mon, 07 May 2012 13:34:07 -0400
To: <[email protected]>
Subject: ...
EDIT 2: as correctly noticed by nickgrim when I send mail from IP 2.2.2.2 I send them using an address that is on the somedomain.com (which is on IP 1.1.1.1). The reason I do this is that in case the mail gets rejected for any reason (as it happened) I get notified on an existing address <[email protected]>.
At first, correct SPF record for your domain
somedomain.comis...which means you will send mails only from your mail server (defined in MX record)
mail.somedomain.comor a host with ip address2.2.2.2.And these mails should have
somedomain.comin their "HELO" or "MAIL FROM" identity during mail transactions.Marco, would you show the mail header that returned as authorization failed?
You say some mails sent from 2.2.2.2 fail SPF validation, correct? Do you have multiple internet lines at the location of your
2.2.2.2server? It's possible that outgoing mail traffic might be routed over another internet line, and therefore, out another IP address.Also, your SPF record is needlessly complicated. All that would be necessary would be
v=spf1 mx ip4:2.2.2.2 -all. Only one instance of each IP which originates mail from your domain needs to be listed.Marco, FWIW - I now find http://www.unlocktheinbox.com/spfwizard/ to be a great SPF wizard (just for future knowledge) and an overall great resource for all things DNS/Email related.
They also have a great testing tool for DNS records. Anytime I make a change I always send a test email to [email protected] to verify the records. It's saved me more time than I care to admit.
I seen an earlier comment suggesting that only "some" of the emails are being blocked, is that accurate the way you stated it, or are they ALL blocked? What have you tried as a result of the comments?