gmail rejections txt record spf help

EdFred

Taxi to Parking
Joined
Feb 25, 2005
Messages
30,651
Location
Michigan
Display Name

Display name:
White Chocolate
So Gmail has decided to start rejecting emails sent from my workplace. Google "help" says to edit the TXT record. So I go to my DNS and edit the TXT record as Google says to, but does it work? Noooooooooooooo of course not, because if it did, I wouldn't be here:

So my TXT record looks like this:

mydomain.com. IN TXT v=spf1 ip4:nn.nn.nn.nn a:mydomain.com mx:mail.mydomain.com include:anothersub.mydomain.com ~all

google rejects with this:

mx.google.com rejected your message to the following e-mail addresses:

mx.google.com gave this error:
This mail has been blocked because the sender is unauthenticated. Gmail requires all senders to authenticate with either SPF or DKIM. Authentication results: DKIM = did not pass SPF [mydomain.com] with ip: [nn.nn.nn.nn] = did not pass For instructions on setting up authentication, go to https://support.google.com/mail/answer/81126#authentication z30-20020a25a121000000b00dcbaac305d8si6072499ybh.341 - gsmtp


Your message wasn't delivered because the recipient's e-mail provider rejected it.


Anyone got answers?
 
Yes, but they don't say WHAT is wrong, only that it IS.
Lemme go do some digging. There’s another one that was more helpful, I just don’t remember what it was. I’ve set up SPF and DKIM for close to a dozen domains over the past year or so.
 
You're only allowed 10 DNS calls for SPF. Does your "include:anothersub.mydomain.com" include other TXT records with "includes"? It can be easy to exceed 10 with multiple "includes"... Also the TXT record is limited to 255 characters per string.... Agree, the mx supertool is great for debugging...
 
You're only allowed 10 DNS calls for SPF. Does your "include:anothersub.mydomain.com" include other TXT records with "includes"? It can be easy to exceed 10 with multiple "includes"... Also the TXT record is limited to 255 characters per string.... Agree, the mx supertool is great for debugging...

I only have the TXT record for the main domain. Nothing for the include. The include i only have because my firewall emails from itself as its own subdomain, and when a server change was made those emails werent showing up.
 
I only have the TXT record for the main domain. Nothing for the include. The include i only have because my firewall emails from itself as its own subdomain, and when a server change was made those emails werent showing up.
OK, forgive me if I'm misunderstanding, but why have the include:anothersub.mydomain.com? If you need that in there, then you need a TXT record in DNS for anothersub.mydomain.com

EDIT: OK, I understand (I think). Since you have include:anothersub.mydomain.com, then you will need a TXT record for anothersub.mydomain.com

EDIT2: Probably OK to just create a TXT record and only include the same ip4 ip... ex, anothersub.mydomain.com TXT v=spf1 ip4:nn.nn.nn.nn ~all
 
Last edited:
OK, forgive me if I'm misunderstanding, but why have the include:anothersub.mydomain.com? If you need that in there, then you need a TXT record in DNS for anothersub.mydomain.com

EDIT: OK, I understand (I think). Since you have include:anothersub.mydomain.com, then you will need a TXT record for anothersub.mydomain.com

EDIT2: Probably OK to just create a TXT record and only include the same ip4 ip... ex, anothersub.mydomain.com TXT v=spf1 ip4:nn.nn.nn.nn
This could be it, "include:" doesn't mean what he probably thinks it does.

Another thing is the ~all (tilde all). I would use -all instead.
 
This could be it, "include:" doesn't mean what he probably thinks it does.

Another thing is the ~all (tilde all). I would use -all instead.
Yeah, good catch, I added that (well the tilde) on my fourth or fifth edit 20 sec after posting...
 
I re-edited after trying an SPF wizard and after it propogates I will test gmail again, but I gotta wait a few hours to send.
 
If you want to ensure email delivery you also need DKIM. Check out EasyDmarc.com.

I went through with our mail servers in January.
I had to do the same. SPF, DKIM, and DMARC. I still can't get mail delivered to some places because the IP address I got from the current cloud provider I'm using for that VM was apparently used by a spammer some time ago, and they've still got it blacklisted. Now I'll have to build new mail servers until I find a host and an IP that hasn't been abused already.

I hate spammers more than you can imagine.
 
Well,

I was able to send one message to gmail this morning without issue after correcting the TXT record to what it should be.

Then I sent another message to a different gmail account and it got rejected even though google's dig tool shows the record as being correct.

Every subsequent message gets rejected.

Cod Dam I ****ing hate that company,
 
Something super weird going on.

Using

if I put my domain it gives me:

;ANSWER
mydomain.com. 900 IN TXT "v=spf1 mx a ip4:nn.nn.nn.nn a:mail.mydomain.com a:sub.mydomain.com ~all"


which is what it should be.
then if I enter it in again right away I get the old one popping up

;ANSWER
mydomain.com. 14168 IN TXT "mydomain.com. IN TXT v=spf1 a:mail.mydomain.com include:sub.mydomain.com ip4:nn.nn.nn.nn ~all"


So Google keeps reading between two different TXT records, even though I only have the one.

W T F
 
For the incorrect one from yesterday it shows TTL of up to 4 hours.

the corrected one from this morning up to 15 minutes

Dale gave me another suggestion and now THAT record also shows up in cycle with a TTL of up to 15 minutes.

Depending when I hit enter, I get one of the three TXT records being returned.
 
Well, cache invalidation is one of the two hard problems in computer science.
 
All workee now?

This is why 600 seconds is my default TTL for DNS records, and even that isn’t a guarantee. Broken and intentionally misconfigured systems can and do ignore things like TTL and MX record preferences.
 
Works now. Gmail servers seem to have finally spit out the old TXT records from whatever cache/servers they had it on and from about 1300 yesterday through now, I have had no email rejections.

Thanks for the help and input.
 
Back
Top