Mail Reception Issues

First some background, Sender Policy Framework or SPF is a framework that allows a domain to specify which mail servers mail for it may legitimately originate from. These are encoded in a DNS TXT record.

Systemd is a super daemon that replaces init xinetd, and also part of the dns service.  It does so in a manner that is, like most Poettering projects, it kind of works some of the time.  It fails with some TXT records breaking SPF.

Here is an example of retrieving a TXT record using nslookup with systemd-resolver:

set type=txt
> wholefoods.com
;; Warning: Message parser reports malformed message packet.
;; Truncated, retrying in TCP mode.
;; Connection to 127.0.0.53#53(127.0.0.53) for wholefoods.com failed: connection refused.

To fix this problem, I have disabled the systemd resolver and gone back to using bind, the standard DNS resolver as a caching server.  Now the results:

> set type=txt
> wholefoods.com
;; Truncated, retrying in TCP mode.
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
wholefoods.com text = "globalsign-domain-verification=MT3LmRzGYPgORWLlSBkPpAUpBDH9kl8xxYmB6FjtjY"
wholefoods.com text = "MS=ms90241053"
wholefoods.com text = "v=spf1 mx ip4:67.199.115.110 ip4:64.132.0.4 ip4:67.199.120.97 ip4:63.241.240.25 include:amazonses.com include:spf.protection.outlook.com include:_spf.q4press.com -all"
wholefoods.com text = "GxIV1cqmXdB1Jl1Qd1LgJyBAd8k4QEnQL4LZpSZS+yu/noX6ra5XpJepHvcohGGfvfnrn9N3bukOSw71brafNA=="
wholefoods.com text = "globalsign-domain-verification=pyR6ci6IB7uVAxLPZN5Z7_imdnvGJLhXCcmfs8v5RP"
wholefoods.com text = "adobe-idp-site-verification=ffdbe896-53c0-4f83-ad01-0ec20ef0833d"

     This should correct the problem of mail being rejected with an SPF failure even though it arrived from a legitimate SPF specified server.

Leave a Reply