SPF failed when using mailgun

disgustipated

I’m trying to track down an issue where a blog im hosting is sending out using mailgun and some messages go to spam. im using ghost cms which sends to mailgun through an api so im confused by what seems to be the mailcow ip showing up in the headers. The email headers seem to indicate the spf is unauthenticated. when i paste the header that went through mailgun into mxtoolbox i get the below which seems to be an internal ip to mailcow postfix, if i send from thunderbird directly with mailcow smtp to gmail and l put the headers in mxtoolbox its showing the appropriate public ip.

Status Problem	SPF Authentication 	SPF Failed for IP - 172.22.1.253

output of network stack from mailcow

docker inspect $(docker ps -q ) --format='{{ printf "%-50s" .Name}} {{range .NetworkSettings.Networks}}{{.IPAddress}} {{end}}'
/mailcowdockerized-watchdog-mailcow-1              172.22.1.13
/mailcowdockerized-acme-mailcow-1                  172.22.1.12
/mailcowdockerized-nginx-mailcow-1                 172.22.1.11
/mailcowdockerized-rspamd-mailcow-1                172.22.1.10
/mailcowdockerized-ofelia-mailcow-1                172.22.1.7
/mailcowdockerized-php-fpm-mailcow-1               172.22.1.6
/mailcowdockerized-dovecot-mailcow-1               172.22.1.250
**/mailcowdockerized-postfix-mailcow-1               172.22.1.253**
/mailcowdockerized-mysql-mailcow-1                 172.22.1.5
/mailcowdockerized-postfix-tlspol-mailcow-1        172.22.1.8
/mailcowdockerized-clamd-mailcow-1                 172.22.1.9
/mailcowdockerized-redis-mailcow-1                 172.22.1.249
/mailcowdockerized-memcached-mailcow-1             172.22.1.4
/mailcowdockerized-dockerapi-mailcow-1             172.22.1.3
/mailcowdockerized-unbound-mailcow-1               172.22.1.254
/mailcowdockerized-sogo-mailcow-1                  172.22.1.248
/mailcowdockerized-olefy-mailcow-1                 172.22.1.2

My spf record seems to be correct, but i dont think it should include an internal ip like that
v=spf1 ip4:<mymailserverspublicIP> include:mailgun.org -all

mailcow reports the correct public ip when i do the show ip from the admin dashboard.
dkim passed, and i have mta-sts and dane configured appropriately and checks out on hardenize. not sure what else to look at to understand what happened and how to fix to prevent going to spam folders, or if im on the right track, but it does seem peculiar why the mailgun path is showing the internal ip for mailcow. anyone have any ideas on what to look at or other details i can share?

also note, i tried the mail headers in learndmarc.com and it all passed, not sure why it went to spam and the only thing i can see that failed was the spf in mxtoolbox

disgustipated

another detail i noticed was that this is where the ip is coming from when mailgun sends the email. this is from one of the other domains which i have SNI set up with certs from another source(letsencrypt on my proxy server)

Received: from mail.<<MyMainDomainWhichHasSNISetUp>>.net ([172.22.1.253])
	by 55706f82b5b2 with LMTP
	id eLKvB+7MMWnsqAAAaWwOMA
	(envelope-from <bounce+662245.af7acc-name@sendingdomain.net>)
	for <destination@receiverdomain.net>; Thu, 04 Dec 2025 13:03:26 -0500

the mx record for this sending domain is set up to point to mail.sendingdomain.com and that A record for mail.sendingdomain.com is pointed to the public ip of mailcow. the ptr for that IP is set as my primary domain on mailcow which is referenced above as mail.«MyMainDomainWhichHasSNISetUp».net

ETNyx

Well, if you see your MC IP in mails send through MG, you are not using MG API as you wrote, so if you do not want see your MC IP there, use MG API service. But this is hardly MC issue,.. so you do not want/can use MG API?

disgustipated

Thanks for the reply but they are definitely sent through the api according to the mail header, and I’ve also detailed no problem when sending directly through SMTP. My suspicion is something to do with SNI set up and how something is responding on DNS, but I’m not sure how to diagnose more details.

ETNyx

Well ok,.. can you post full header of message in spam for inspection?

disgustipated

i and mxtoolbox must be interpreting something incorrectly. it seems that when i received the mail, from mailgun, into a different domain which is hosted on the same server of the domain that send the newsletter, the header had the internal ip. when the newsletter was received by gmail it all looked ok, ill go back to my hole lol