SpamAssassin test says "SPF:HELO does not match SPF record"

I've got a single server with a single IP and I'm setting up a single domain at this time. I'll be adding a few more later on and want to send from them, but at the moment, I'm trying to properly configure SPF. It seems to be properly configured according to test via google, but testing via mail-tester.com says "SPF: HELO does not match SPF record (fail)" and points me to the page on the SPF site which says the following:

"mail-tester.com rejected a message from a mail server claiming to be mars.domain.com.

mail-tester.com received a message from mars.domain.com (xxx.xxx.xxx.xxx) from a mail server claiming to be mars.domain.com.

However, the domain mars.domain.com has declared using SPF that it does not send mail through mars.domains.com (xxx.xxx.xxx.xxx). That is why the message was rejected."

I've been reading the SPF documentation repeatedly and still can not exactly comprehend what is the correct syntax to use. Here is my current DNS.

MX

mars.domain.com 10

A

xxx.xxx.xxx.xxx

  • xxx.xxx.xxx.xxx

www xxx.xxx.xxx.xxx

mars xxx.xxx.xxx.xxx

TXT

v=spf1 mx -all

  • v=spf1 -all

www v=spf1 -all

mars v=spf1 mx -all

As far as I understand, I have told it "hostnames that appear in mx records and have a matching A record are allowed to send". Which, in this case, you can see it is…

So exactly what is missing, here?!

openspf's page is suggesting I change it to "v=spf1 mx a:mars.domain.com -all" which seems unnecessary. I already have mars.domain.com with an SPF record and an A record, which should match the "mx" part of the spf1 definition, right?

4 Replies

No but it does mean no one can dig your dns records to see if the spf record is actually correct. But if you don't want to make things easier for us then fine, people won't help.

You own mars.domain.com wow that's awesome! ….Seriously we can't help without your domain/ip.

A placeholder IP and domain doesn't alter whether it is syntactically accurate or the behavior that the configuration should expect, but thank you.

Regards.

> mars v=spf1 mx -all This line says that the only allowed sender from the domain mars.domain.com is the MX for mars.domain.com which doesn't seem to exist. There are several ways to fix depending on your intent for using mars as a subdomain, but you probably want to either create an MX for mars.domain.com or change the "mx" to "a" in this line of the SPF.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct