554 refused mailfrom because of SPF policy
Sometimes I receive this message from certain recipients. The dnsstuff guy said I'm supposed to "set my SPF policy" so that it says mail may be sent from my domain through a specified mail server" -- something like that. Could someone please tell me what to do? How do I set my SPF policy so that I can send email and it will be accepted? Thanks.

OK, I just found the explanation Joe gave in the Spam forum at:
http://www.hostpc.com/forums/index.php?showtopic=1608#8394
(it's the 7th post -- don't see how to link directly to the post)
Should I do as instructed there? Is that still the recommended procedure? Guess I'll just try it and see.


Originally posted by Joe@Nov 25 2004, 09:08 AM
I've found another way to do this, that you can actually do yourself.

Log into your control panel, click on DNS management.

You'll see a bunch of records there. Be VERY careful not to touch anything there - one mistake can take your site completely offline. If you're uncomfortable with this, open a ticket, and we'll do it for you.

You'll see things like

Name Type Value
mail A 199.x.x.x

That's an "A" record. you need to create an "A" record for 'test' - with the server ip numbers you see under "value"

so, scroll down, in the "Add Domain Records" field, put in

test then hit TAB - and put in the IP address you see above in your list (different for every server)

and click the ADD button next to it.

You'll then see your list on top like this:

Name Type Value
mail A 199.x.x.x
test A 199.x.x.x

Last step - very important: put a checkmark in the box next to test - and click DELETE SELECTED. Yes, you're going to delete the same record you just created. ONLY click ONE box - next to TEST... if you delete others, there's gonna be problems.

This procedure will cause your DNS files to be updated to the latest configuration known to work:

domain.com. IN TXT "v=spf1 a mx ip4:199.237.51.29 ~all"

obviously, the IP address will be different depending on your server.


Hope that helps.

Joe

Quoted post

Am trying to fix it from the ground up.

Currently, the spf record is (according to dnsreport.com):
"v=spf1 -all" [TTL=14400] or TXT IN 14400 "v=spf1 -all"

Then looked up the IPs of my smtp mailserver.
Now I need to figure how to add them to the record.

Am using the wizard at http://www.openspf.org/
It looks like I also need to include the mail server at hostpc. I use majordomo to send mail to lists, and forms send mail to me. Would that be the A Record? or the MX Records? Looks like both.

OK, got something close. Looks like I need to open a support ticket for you to add it to the zone file. Thanks in advance.

Still working on it.
Update:
1. Can't "include:" my ISP's spf record because they apparently stopped publishing one. So it sounds like that means I need the IPs of their mailservers.

2. Tried to see if I can send through my domain here instead of the ISP because then I'd know what my mailservers are. Can't because my ISP (earthlink) blocks port 25. It was fun learning how to Telnet though -- haven't played with DOS for years (since '95).

3. Learned that the smtp server I use in my email program is not necessarily the same as the ISP's outgoing mailservers. Told I should ask my ISP. My ISP is Earthlink. Contacted customer support and the person had no clue what I was talking about -- they kept wanting to know what email program I use so they could tell me how to set it up.

4. So now I have to guess the IPs, apparently. Studied some emails sent to myself from me over last couple of months and the range of IPs is fairly small. It might be safe to use a range of 9 IPs. Waiting for responses on question regarding how best to guess the IPs.

Originally posted by Mikester+Dec 1 2005, 03:57 PM--><div class='quotetop'>QUOTE(Mikester @ Dec 1 2005, 03:57 PM)</div><div class='quotemain'><!--QuoteBegin-D9r@Nov 30 2005, 02:54 PM
Now I'll go see if Earthlink will tell me what their outgoing mailservers are -- I was told somewhere that they may not want to.

Quoted post
http://kb.earthlink.net/case.asp?article=28968 says
SMTP Server: smtpauth.earthlink.net
* SMTP Authentication Username:Your Email Address
* SMTP Authentication Password:Your Email Password

Quoted post
[/b][/quote]
'smtpauth.earthlink.net' is not the outgoing mailserver. It doesn't send mail from Earthlink; it accepts mail from me that I am sending; it then passes it on to other servers that do the actual sending. It's the IPs of those that need to be in SPF Records.

Someone else explained it so well that I'll quote him:
Alex van den Bogaerdt wrote:

1.) What are the ISP's mailservers (for listing the IPs)? Is it the name of the server that I use as the outgoing server (smtp) in my email program (smtp.ispexample.net)? Or should I look up the mailservers by doing a DNSreport on the ISP's main domain (ispexample.net) and use the list that it generates (mx1.ispexample.net, mx2.ispexample.net, etc).

ispexample.net is an existing domain. I will not use that as an example.

Mail flows from your fingers via your keyboard into a computer, it is transfered to another, again to another, etc. Eventually there is a step where your mail is transfered from something influenced by you (such as your provider) to something influenced by someone else (such as this mailing list). That point is what is important for SPF.

If you submit to smtp.isp.example.net and if smtp.isp.example.net submits to this list, then yes: that's the one.

But if you submit to smtp.isp.example.net, smtp.isp.example.net delivers to viruscontrol.isp.example.net, viruscontrol to outmx.isp.example.net and that last one delivers to this list, the answer is no (and you should be listing "outmx.isp.example.net" instead).

As you can see, you listing smtp.isp.example.net in your email client is not a useful thing to know. The setup at your ISP is. That's why it is preferable to use the include mechanism _if_available_ because then the people with knowledge about their setup (your ISP) maintain that portion of your SPF record.