Should DNS check show SPF with green checkmark if correct?

wbreau

I recently discovered that mail from my domains to gmail are going to spam. When I found this I set out to try to ensure everything was configured correctly in mailcow and also in my DNS records for SPF, DMARC, and DKIM. When I run the DNS check for any of my four domains, the DKIM always shows a green checkmark, but the SPF and DMARC show the links to “SPF Record Syntax” and “DMARC Assistant”. When I check those records using MX Toolbox they look correct. Should the SPF and DMARC show green checkmarks in the Mailcow DNS check tool if they are correct?

DocFraggle

wbreau Should the SPF and DMARC show green checkmarks in the Mailcow DNS check tool if they are correct?

No, this is the normal behavior…

mlcwuser

wbreau Should the SPF and DMARC show green checkmarks in the Mailcow DNS check tool if they are correct?

No, this is working as intended.

Instead of a green checkmark, the actual DNS record is displayed because there is no one correct way to set these records, but rather several options that you can set to define specific policies.

The SPF record is used to specify which mail servers are authorized to send mail on behalf of the domain and how to deal with unauthorized senders. The DMARC record defines how servers should handle emails that fail SPF and DKIM checks: reject them, quarantine them, or do nothing.

Here’s a more detailed explenation:
https://www.cloudflare.com/learning/dns/dns-records/dns-spf-record/

Cisco30

DocFraggle No, this is the normal behavior…

it’s weird, I have a green check mark on my SPF

on the other hand I don’t have a green checkmark on the DMARC

mlcwuser

Cisco30

Good question actually. I use "v=spf1 mx -all", instead of "v=spf1 a mx -all", which is a correct syntax according to open-spf.org, and I don’t get a green checkmark.

However, my record seems to be working fine according to the DMARC reports I get, and mxtoolbox also thinks it’s fine, so I guess it’s just the check that’s missing something. Maybe because it can’t find an AAAA record since I’m not using IPv6?

esackbauer

This DNS test provided by mailcow is just a simple guidance. Of course it would not cover all possibilities or special scenarios.
This is why they link 4 references right at the top of mailcow’s DNS documentation which one should read and understand.

DocFraggle

I just had a look at the script, it only shows the green check mark if both your IPv4 address and IPv6 address are included in your SPF entry. As I used the subnet mask as well this check fails 😃

mailcow/mailcow-dockerizedblob/master/data/web/inc/ajax/dns_diagnostics.php#L355-L357

But I wonder why it’s shown in @Cisco30 ’s case

Cisco30

DocFraggle
I use IPv4 and IPv6, according to your explanation it’s normal that I have a green checkmark.

mlcwuser

DocFraggle

Not an expert, but maybe because he uses the The “a” mechanism ?

The “a” mechanism (edit)

a
a/<prefix-length>
a:<domain>
a:<domain>/<prefix-length>

All the A records for domain are tested. If the client IP is found among them, this mechanism matches. If the connection is made over IPv6, then an AAAA lookup is performed instead.

DocFraggle

mlcwuser Sure, that’s valid syntax, but the PHP script expplicitly checks for the IPv4 and IPv6 address in the SPF record. But I didn’t look through the whole script though

mlcwuser

DocFraggle Sure, that’s valid syntax, but the PHP script expplicitly checks for the IPv4 and IPv6 address in the SPF record.

I looked at it too in the meantime, and I’m not a dev and only understand PHP rudimentary, so I could be compoletely wrong about all this. ;-)

To me It looks like it does more than just check whether there’s an actual IP address in the record. There’s actually at least some magic happening in the data/web/inc/spf.inc.php script, which as far as I understand it does actual lookups based on the mechanics used in the record and then creates an array of IP addresses, which it then compares to the IPs of the server here:

if (in_array($ip, $rslt) && in_array(expand_ipv6($ip6), $rslt)) {
              $state = state_good;
            }

So, yes, it seems that you actually need both IPv4 and IPv6 enabled to get that check mark, if I understand the `&&' in the above statement correctly, but you don’t necessarily need actual IP addresses written out in the record.

wbreau

Thank you, everyone! That definitely makes sense that SPF could be configured differently and the script wouldn’t know what was correct for an individual setup. That answers my question. I do understand SPF syntax, or at least I think I do, which is one reason I was concerned that it showed a ? and not a checkmark, no matter what I did to change it, even though every external SPF check I tried said it was valid. I greatly appreciate everyone’s input.