Debugging 'The message failed SPF checks' when everything looks fine

Posted on January 5th, 2018

So the other day we had a customer who complained that they were not able to send us mail because we blocked there emails because of SPF(https://en.wikipedia.org/wiki/Sender_Policy_Framework).

[root@mailwatch exim]# host -t TXT foo.tld 
foo.tld descriptive text "v=spf1 include:_spf.google.com ~all"

Everything looks good ... gooing though the "include" from google.com also seems fine ... well, maybe a caching issue or some issues at google ... but ... did not really believe in that.

Later we checked again to see if it fixed itself ... but NO ... WTF.

Again ... it was still failing.

Then someone asked me to check the actual SPF DNS Records and not the TXT records ... well ... after reading the SPF history from the Wikipedia link it's been deprecated in 2014: https://mxtoolbox.com/problem/spf/spf-record-deprecated

When doing a query for SPF records i saw this:

host -t spf foo.tld
foo.tld has SPF record "v=spf1 a include:spf.unoeuro.com -all"

So when they migrated there email service to GSuite, there DNS provider to https://www.cloudflare.com/dns/ they actually also copied all the old records including the DNS SPF records, but in the same time also created the new entries in the TXT records for GSuite. This is just ... one of these days when you love to be a email/system administrator.

1