• Community Support
  • USEnglish
  • Should DNS check show SPF with green checkmark if correct?

I recently discovered that mail from my domains to gmail are going to spam. When I found this I set out to try to ensure everything was configured correctly in mailcow and also in my DNS records for SPF, DMARC, and DKIM. When I run the DNS check for any of my four domains, the DKIM always shows a green checkmark, but the SPF and DMARC show the links to “SPF Record Syntax” and “DMARC Assistant”. When I check those records using MX Toolbox they look correct. Should the SPF and DMARC show green checkmarks in the Mailcow DNS check tool if they are correct?

    wbreau Should the SPF and DMARC show green checkmarks in the Mailcow DNS check tool if they are correct?

    No, this is the normal behavior…

      Have something to say?

      Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

      wbreau Should the SPF and DMARC show green checkmarks in the Mailcow DNS check tool if they are correct?

      No, this is working as intended.

      Instead of a green checkmark, the actual DNS record is displayed because there is no one correct way to set these records, but rather several options that you can set to define specific policies.

      The SPF record is used to specify which mail servers are authorized to send mail on behalf of the domain and how to deal with unauthorized senders. The DMARC record defines how servers should handle emails that fail SPF and DKIM checks: reject them, quarantine them, or do nothing.

      Here’s a more detailed explenation:
      https://www.cloudflare.com/learning/dns/dns-records/dns-spf-record/

      DocFraggle No, this is the normal behavior…

      it’s weird, I have a green check mark on my SPF

      on the other hand I don’t have a green checkmark on the DMARC

        Cisco30

        Good question actually. I use "v=spf1 mx -all", instead of "v=spf1 a mx -all", which is a correct syntax according to open-spf.org, and I don’t get a green checkmark.

        However, my record seems to be working fine according to the DMARC reports I get, and mxtoolbox also thinks it’s fine, so I guess it’s just the check that’s missing something. Maybe because it can’t find an AAAA record since I’m not using IPv6?

        This DNS test provided by mailcow is just a simple guidance. Of course it would not cover all possibilities or special scenarios.
        This is why they link 4 references right at the top of mailcow’s DNS documentation which one should read and understand.

        DocFraggle
        I use IPv4 and IPv6, according to your explanation it’s normal that I have a green checkmark.

        DocFraggle

        Not an expert, but maybe because he uses the The “a” mechanism

        ?

        The “a” mechanism (edit)

        a
        a/<prefix-length>
        a:<domain>
        a:<domain>/<prefix-length>

        All the A records for domain are tested. If the client IP is found among them, this mechanism matches. If the connection is made over IPv6, then an AAAA lookup is performed instead.

          mlcwuser Sure, that’s valid syntax, but the PHP script expplicitly checks for the IPv4 and IPv6 address in the SPF record. But I didn’t look through the whole script though

            DocFraggle Sure, that’s valid syntax, but the PHP script expplicitly checks for the IPv4 and IPv6 address in the SPF record.

            I looked at it too in the meantime, and I’m not a dev and only understand PHP rudimentary, so I could be compoletely wrong about all this. ;-)

            To me It looks like it does more than just check whether there’s an actual IP address in the record. There’s actually at least some magic happening in the GitHub Icon data/web/inc/spf.inc.php

            script, which as far as I understand it does actual lookups based on the mechanics used in the record and then creates an array of IP addresses, which it then compares to the IPs of the server GitHub Icon here
            GitHub Icon GitHub
            mailcow-dockerized/data/web/inc/ajax/dns_diagnostics.php at 36b5cccd186090d726de62b6b00d1e842e67aacd · mailcow/mailcow-dockerized
            mailcow: dockerized - 🐮 + 🐋 = 💕. Contribute to mailcow/mailcow-dockerized development by creating an account on GitHub.
            mailcow: dockerized - 🐮 + 🐋 = 💕. Contribute to mailcow/mailcow-dockerized development by creating an account on GitHub.
            :

            if (in_array($ip, $rslt) && in_array(expand_ipv6($ip6), $rslt)) {
                          $state = state_good;
                        }

            So, yes, it seems that you actually need both IPv4 and IPv6 enabled to get that check mark, if I understand the `&&' in the above statement correctly, but you don’t necessarily need actual IP addresses written out in the record.

            Thank you, everyone! That definitely makes sense that SPF could be configured differently and the script wouldn’t know what was correct for an individual setup. That answers my question. I do understand SPF syntax, or at least I think I do, which is one reason I was concerned that it showed a ? and not a checkmark, no matter what I did to change it, even though every external SPF check I tried said it was valid. I greatly appreciate everyone’s input.

            No one is typing