[dmarc-discuss] SPF Check issue on Google Reports

Daniel Brito danielcobd at gmail.com
Thu Sep 18 05:38:01 PDT 2014


Franck,

The statement "a:" it is redundant, i will suppress this. thanks.
Nevertheless, as you said, gmail should not fail on my SPF record.

Regards,
Daniel Brito








On Wed, Sep 17, 2014 at 4:57 PM, Franck Martin <fmartin at linkedin.com> wrote:

> Check
> https://dmarcian.com/spf-survey/prodest.es.gov.br
> There is a warning and the a: is redundant anyhow, I would just suppress
> it. No need to add an extra DNS query.
>
> your authoritative servers seems fine:
>
> http://www.digwebinterface.com/?hostnames=prodest.es.gov.br&type=TXT&showcommand=on&colorize=on&useresolver=8.8.4.4&ns=auth&nameservers=
>
> Otherwise, yes, Gmaill should not fail that often on this SPF record.
>
> On Sep 17, 2014, at 8:59 PM, Daniel Brito via dmarc-discuss <
> dmarc-discuss at dmarc.org> wrote:
>
> Hi Jesper,
>
> The statement "a" accept this sintax : "a:<domain>/<prefix-length>". You
> could check on the this page: http://www.openspf.org/SPF_Record_Syntax
>
> Also, it is possible to check the spf record on some internet tools. I
> particularly use this: http://vamsoft.com/support/tools/spf-policy-tester
> .
>
> I will continue analyzing the dmarc report until i feel confident to use
> on 100% of the mesagens.
>
>
> Regards,
> Daniel Brito
>
>
> On Wed, Sep 17, 2014 at 2:13 PM, Jesper Knudsen <
> jesper.knudsen at scanmailx.com> wrote:
>
>> Do not know whether its the reason but your SPF record looks a little odd
>> to me.
>>
>>
>>
>> v=spf1 a:ironport.mail.es.gov.br/24 ip4:201.62.46.0/24 ip4:201.62.33.0/24
>> ~all
>>
>>
>>
>> The “a:” statement should not to my knowledge have a “/24” – maybe Google
>> is just getting choked with that.
>>
>>
>>
>> Regards,
>>
>> Jesper
>>
>>
>>
>> *From:* dmarc-discuss [mailto:dmarc-discuss-bounces at dmarc.org] *On
>> Behalf Of *Daniel Brito via dmarc-discuss
>> *Sent:* 16. september 2014 15:56
>> *To:* João Oliveirinha
>> *Cc:* dmarc-discuss at dmarc.org
>> *Subject:* Re: [dmarc-discuss] SPF Check issue on Google Reports
>>
>>
>>
>> Hi, thanks for all.
>>
>>
>>
>> I verified all the suggestions, but everything is correctly. I don´t have
>> IPV6 and the DNS servers return the same results.
>>
>> Today, i received this report from google:
>>
>>
>>
>> <record>
>>
>>     <row>
>>
>>       <source_ip>201.62.46.25</source_ip>
>>
>>       <count>21</count>
>>
>> .
>>
>> .
>>
>> .
>>
>>       <spf>
>>
>>         <domain>prodest.es.gov.br</domain>
>>
>>         <result>pass</result>
>>
>>       </spf>
>>
>>     </auth_results>
>>
>> </record>
>>
>>
>>
>> <record>
>>
>>     <row>
>>
>>       <source_ip>201.62.46.25</source_ip>
>>
>>       <count>1</count>
>>
>>     .
>>
>> .
>>
>> .
>>
>>       <spf>
>>
>>         <domain>prodest.es.gov.br</domain>
>>
>>         <result>fail</result>
>>
>>       </spf>
>>
>>     </auth_results>
>>
>> </record>
>>
>>
>>
>> <record>
>>
>>     <row>
>>
>>       <source_ip>201.62.46.25</source_ip>
>>
>>       <count>30</count>
>>
>>     .
>>
>> .
>>
>> .
>>
>>       <spf>
>>
>>         <domain>prodest.es.gov.br</domain>
>>
>>         <result>pass</result>
>>
>>       </spf>
>>
>>     </auth_results>
>>
>> </record>
>>
>>
>>
>> <record>
>>
>>     <row>
>>
>>       <source_ip>201.62.46.25</source_ip>
>>
>>       <count>7</count>
>>
>>     .
>>
>> .
>>
>> .
>>
>>       <spf>
>>
>>         <domain>prodest.es.gov.br</domain>
>>
>>         <result>fail</result>
>>
>>       </spf>
>>
>>     </auth_results>
>>
>> </record>
>>
>> ...
>>
>>
>>
>> This information is in one report aggregate, all this messages have
>> passed in DKIM verification, so this not impact me. But if it is not a
>> error in Google servers, it could be some miss configuration here.
>>
>> The DMARC registes is : "v=DMARC1; p=reject; sp=none; pct=70; rua=mailto:
>> dmarc at prodest.es.gov.br"
>>
>>
>>
>> Like João Oliveirinha said, it is a minimum percentage of the email that
>> fails on SPF and only happen on google report's.
>>
>>
>>
>>
>>
>> Best Regards,
>>
>> Daniel Brito
>>
>>
>>
>> On Mon, Sep 15, 2014 at 7:00 PM, João Oliveirinha <
>> dmarc-discuss at dmarc.org> wrote:
>>
>> I am also seeing some problems with SPF verification by google servers
>> recently.
>>
>>
>>
>> The majority of cases are "fail" spf responses, but some are
>> "permerror"s. Which is strange. I haven't changed my dns records in some
>> time, and my dns provider is Cloudflare.
>>
>>
>>
>> Either way, this is only ~3% of the emails in the least week, for
>> instance.
>>
>>
>>
>>
>> --
>>
>>
>>
>> [image: Feedzai SA] <http://www.feedzai.com/>
>>
>> *João Oliveirinha* / Senior Data Scientist
>> +351 91 322 43 52/ joao.oliveirinha at feedzai.com (PGP
>> <http://pgp.mit.edu/pks/lookup?op=get&search=0xC0E505208B118765>)
>>
>> *Feedzai SA* Office: +351 211 985 635
>> Edifício Atlantis, Av. João II, Lote 1.06.2.2, 1990-095 Lisboa, Portugal
>> http://www.feedzai.com
>>
>> [image: Linkedin] <http://pt.linkedin.com/in/joliveirinha>
>>
>>
>>
>> On Mon, Sep 15, 2014 at 10:13 PM, Dave Warren via dmarc-discuss <
>> dmarc-discuss at dmarc.org> wrote:
>>
>> On 2014-09-15 13:55, Al Iverson via dmarc-discuss wrote:
>>
>> First thing I would look at is, do all of your DNS servers reliably
>> return the same results? If you have 3-4 DNS servers and one of them
>> doesn't return the right info, this could conceivably cause what you
>> are seeing.
>>
>>
>> One other thought, beyond what Al said... Any chance you've started
>> delivering to Google via IPv6, but your SPF only covers your IPv4 IP space?
>>
>> --
>> Dave Warren
>> http://www.hireahit.com/
>> http://ca.linkedin.com/in/davejwarren
>>
>>
>>
>>
>> _______________________________________________
>> dmarc-discuss mailing list
>> dmarc-discuss at dmarc.org
>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>>
>> NOTE: Participating in this list means you agree to the DMARC Note Well
>> terms (http://www.dmarc.org/note_well.html)
>>
>>
>>
>>
>> _______________________________________________
>> dmarc-discuss mailing list
>> dmarc-discuss at dmarc.org
>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>>
>> NOTE: Participating in this list means you agree to the DMARC Note Well
>> terms (http://www.dmarc.org/note_well.html)
>>
>>
>>
>
> _______________________________________________
> dmarc-discuss mailing list
> dmarc-discuss at dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well
> terms (http://www.dmarc.org/note_well.html)
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://dmarc.org/pipermail/dmarc-discuss/attachments/20140918/274a6ec7/attachment-0001.html>


More information about the dmarc-discuss mailing list