SPF Fail - and too many DNS lookups

Britt Malka

Britt Malka

Member
Hi,
I've struggled with the SPF for a long time. Too many of my sent emails bounces, and when I get the dmarc reports, it shows that the SPF fails.

If I only send with sparkpost, I use the following:

Code: 
v=spf1 mx a include:sparkpostmail.com ~all

Then there's not too many DNS lookups.

But if I add hostgator's sending domain, I run into the too many DNS lookups. The code line looks like this:

Code: 
v=spf1 mx a include:websitewelcome.com include:sparkpostmail.com ~all

To begin with, I sent with several SMTP services, which made it totally impossible to use SPF. Luckily, it turned out that Elasticemail didn't allow affiliate marketing, so I closed my account there.

But how do you handle the SPF? How can I avoid so many bouncing emails and failed SPF?
 
Britt Malka said:
Hi,
I've struggled with the SPF for a long time. Too many of my sent emails bounces, and when I get the dmarc reports, it shows that the SPF fails.

If I only send with sparkpost, I use the following:

Code: 
v=spf1 mx a include:sparkpostmail.com ~all

Then there's not too many DNS lookups.

But if I add hostgator's sending domain, I run into the too many DNS lookups. The code line looks like this:

Code: 
v=spf1 mx a include:websitewelcome.com include:sparkpostmail.com ~all

To begin with, I sent with several SMTP services, which made it totally impossible to use SPF. Luckily, it turned out that Elasticemail didn't allow affiliate marketing, so I closed my account there.

But how do you handle the SPF? How can I avoid so many bouncing emails and failed SPF?
Click to expand...

Which IPs do you really need? Once you have it boiled down, it is just a matter of notation.
Check if your MX and A are the same and/or already included in the other ranges, if so, skip those two (saves two lookups), or reduce to one if one and the same, and incl as IP (so replace "YourIPaddress" down there with the real IP), to avoid lookups
then try e.g.
v=spf1 ip4:YourIPaddress include:spf.websitewelcome.com include:spf1.websitewelcome.com include:sparkpostmail.com ~all
since the 'websitewelcome.com' incl a lot of google spf ranges, that you might not need.
Again, the above is just an example, scoop out exactly what you need and then test it :)
 
Thank you for your reply.

I once found a place where I could check what those addresses really corresponded to, but I can't find it again. Why did you take spf and spf1.websitewelcome.com for example? Were they just some you guessed, or do you know how to drill down to the root of the included addresses?

Same question about MX and A - how do I know if I need them or not?
 
Not sure what to make of your answer.

Britt Malka said:
I once found a place where I could check what those addresses really corresponded to, but I can't find it again.
Click to expand...
Just dig it out of the dns text records ;)

Britt Malka said:
Why did you take spf and spf1.websitewelcome.com for example?
Click to expand...
Perhaps take a moment to thoroughly read my previous post.

Britt Malka said:
Were they just some you guessed
Click to expand...
No, see prev post, which explained it.

Britt Malka said:
do you know how to drill down to the root of the included addresses?
Click to expand...
Yes, see above.

Britt Malka said:
Same question about MX and A - how do I know if I need them or not?
Click to expand...
Explained in prev post.

After you go thoroughly through above and prev post, feel free to come back with specific questions.
 
I had already read your post at least three times. Now I've read it three times more.

I still don't understand what you mean. It might be obvious to you, but to me it's not. One example:

Just dig it out of the dns text records
Click to expand...

What do you mean by "dig it out"? Remove it? Or find it by using some skill I don't have by looking at the txt record? Perhaps "dig it out" is some kind of programmer jargon that programmers understand, but I don't. I have long hair, but I'm no programmer. Is that it?

Anyway, thanks for spending time writing to me. By the way, don't assume that because I don't understand what you're writing means that I haven't read what you've written. Many times even. I still don't understand it.
 
Thank you.

So "dig" is a Linux command. I found out after reading articles following your link. It only took me 30 minutes to figure that out.

I don't have Linux, but I assume SSL or something (not sure of the acronym) could do it, but we don't have that.

One article did a good job of explaining SPF and the other things. It recommended that I sent a test email to Gmail, which I did, and my SPF passed, both for the private email I sent, and for bulk email through MailWizz and Sparkpostmail.

So perhaps I should just stay happy with the 6% bounces I have, even though I know these people exist and their emails are valid, and I will have to add them back to my list manually when they are kicked off.

My head hair is a bit shorter, but I am no programmer either!?! :p
Click to expand...

I wouldn't know, because you're not showing your face, are you? :p
 
Britt Malka said:
So "dig" is a Linux command. I found out after reading articles following your link. It only took me 30 minutes to figure that out.
Click to expand...
try google more
https://www.google.co.uk/search?q=get+dns+txt+record

once you find the record for what u had (websitewelcome.com), u will see the others, then search those too, and you will see

Britt Malka said:
I don't have Linux, but I assume SSL or something (not sure of the acronym) could do it, but we don't have that.
Click to expand...
u can search also from within windows or from mac terminal

Britt Malka said:
So perhaps I should just stay happy with the 6% bounces I have, even though I know these people exist and their emails are valid, and I will have to add them back to my list manually when they are kicked off.
Click to expand...
no, keep at it, just ask specific questions, here or google, and then put the info together
(the reason why there is no direct ready-made answer, is, that i do not have all data (even though i could assume something), but also privacy, so feel free to PM the data to get the simplified spf record)

Britt Malka said:
I wouldn't know, because you're not showing your face, are you? :p
Click to expand...
beautiful faces can be misleading, facts stand the test of time

:)
 
This error is not as bad as it sounds and in my experience will not affect delivery. It's a technical limitation built into SPF. If you're mailing from a dedicated IP, the easy alternative would be to hard code your IP address like:

v=spf1 mx a ip4:192.168.0.1 ~all

If it's not a dedicated IP, you may be coming from a range, in which case you can make it:

v=spf1 ip4:192.168.0.1/16 ~all

which would allow any IP address between 192.168.0.1 and 192.168.255.255.

The easiest place to find your IP is to send yourself some messages at Gmail. When you receive them, open the message, and click Show Original from the options. In there, you'll see a few IP addresses, but you're looking for the one in a statement like:

Received: from smtp-soi-g13-137.aweber.com (smtp-soi-g13-137.aweber.com. [204.194.223.137])

Send yourself a few tests and see if that IP changes. If it does, include the others individually. You can include as many IP addresses as you want in an SPF record. It's the domain lookups (specifically, the additional lookups at sparkhostmail) that it's objecting to here.

www.MxToolbox.com is a very good resource in the authentication arena.
 
You must log in or register to reply here.
Back
Top