Email transport has bad DNS and is getting flagged as spam

[Trixter]

After the forum upgrade -- and I'm assuming it was also a server move, as you'll see shortly -- email sent from the forum is getting flagged as spam because DNS isn't set up properly somewhere in the chain. I'm seeing this in my spamassassin headers now:

0.9 SPF_HELO_SOFTFAIL SPF: HELO does not match SPF record (softfail)
1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
2.7 MAY_BE_FORGED Relay IP's reverse DNS does not resolve to IP

Relevant headers:

Received: from vintage-computer.com (unknown [104.192.220.12])
...
Received: from ec2-54-236-142-0.compute-1.amazonaws.com ([54.236.142.0]:45844 helo=www.vcfed.org)
        by h501.cpanellogin.net with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        (Exim 4.94)
        (envelope-from <erik@vcfed.org>)

I have since set up filters on my end to attempt to handle vcfed emails before junk classification, but this is not proper RFC/SPF/DNS behavior and should be addressed. I had to look into this because all email from vcfed stopped arriving once the forum upgrade occured.

 

[Pepinno]

I confirm email received from this forum is failing the SPF check.

My logs:

Apr 19 23:20:42 gran postfix/policy-spf[1611]: : SPF SoftFail (Mechanism '~all' matched): HELO/EHLO: vintage-computer.com
Apr 19 23:20:42 gran postfix/policy-spf[1611]: handler sender_policy_framework: is decisive.
Apr 19 23:20:42 gran postfix/policy-spf[1611]: : Policy action=REJECT SPF check returned softfail, so the message is flagged as SPAM.
Apr 19 23:20:42 gran postfix/smtpd[1608]: NOQUEUE: reject: RCPT from unknown[104.192.220.12]: 554 5.7.1 <XXXXXX@YYYYYYY.com>: Recipient address rejected: SPF check returned softfail, so the message is flagged as SPAM.; from=<erik@vcfed.org> to=<XXXXXX@YYYYYYY.com> proto=ESMTP helo=<vintage-computer.com>

My checks:

$ date
Tue Apr 20 00:20:10 CEST 2021
$
$ host -t txt vcfed.org
vcfed.org descriptive text "v=spf1 +a +mx +ip4:104.192.220.11 +ip4:162.208.84.230 +ip4:162.208.84.200 +ip4:162.208.84.225 +ip4:199.193.246.42 \010+ip4:54.236.142.0 ~all"
vcfed.org descriptive text "google-site-verification=qRcluePHVV-N3plobNBfjGtJ_y0tMZJ3YIJMrqKZv3k"
$
$ spfquery --mfrom erik@vcfed.org --ip 104.192.220.12
permerror
vcfed.org: Junk encountered in record 'v=spf1 +a +mx +ip4:104.192.220.11 +ip4:162.208.84.230 +ip4:162.208.84.200 +ip4:162.208.84.225 +ip4:199.193.246.42
+ip4:54.236.142.0 ~all'
Received-SPF: permerror (vcfed.org: Junk encountered in record 'v=spf1 +a +mx +ip4:104.192.220.11 +ip4:162.208.84.230 +ip4:162.208.84.200 +ip4:162.208.84.225 +ip4:199.193.246.42
+ip4:54.236.142.0 ~all') receiver=gran.YYYYYYY.com; identity=mfrom; envelope-from="erik@vcfed.org"; client-ip=104.192.220.12
$
$ host -t txt vintage-computer.com
vintage-computer.com descriptive text "v=spf1 +a +mx +ip4:68.66.224.57 include:spf.a2hosting.com ~all"
$
$ spfquery --helo vintage-computer.com --ip 104.192.220.12
softfail
vintage-computer.com: Sender is not authorized by default to use 'vintage-computer.com' in 'helo' identity, however domain is not currently prepared for false failures (mechanism '~all' matched)
Received-SPF: softfail (vintage-computer.com: Sender is not authorized by default to use 'vintage-computer.com' in 'helo' identity, however domain is not currently prepared for false failures (mechanism '~all' matched)) receiver=gran.YYYYYYY.com; identity=helo; helo=vintage-computer.com; client-ip=104.192.220.12

What is going on? The SPF record for domain "vcfed.org" has the junk code "\010" in it, so it fails with a "permanent error", therefore the SPF check is then done against the domain in the HELO/EHLO ("vintage-computer.com") of the SMTP transaction, and that check gets a "SoftFail" result.

Solution: The SPF record for "vcfed.org" should get cleaned up, and the SPF record for "vintage-computer.com" should include the IP of the new hosting (104.192.220.12 in my example, or a range of IPs if needed, or the SPF "include" for the hosting provider, etc.).

 

[Agent Orange]

Way to go Peppino!