SPF Fail - and too many DNS lookups

[Britt Malka]

Hi,
I've struggled with the SPF for a long time. Too many of my sent emails bounces, and when I get the dmarc reports, it shows that the SPF fails.

If I only send with sparkpost, I use the following:

v=spf1 mx a include:sparkpostmail.com ~all

Then there's not too many DNS lookups.

But if I add hostgator's sending domain, I run into the too many DNS lookups. The code line looks like this:

v=spf1 mx a include:websitewelcome.com include:sparkpostmail.com ~all

To begin with, I sent with several SMTP services, which made it totally impossible to use SPF. Luckily, it turned out that Elasticemail didn't allow affiliate marketing, so I closed my account there.

But how do you handle the SPF? How can I avoid so many bouncing emails and failed SPF?

 

[frm.mwz]

Hi,
I've struggled with the SPF for a long time. Too many of my sent emails bounces, and when I get the dmarc reports, it shows that the SPF fails.

If I only send with sparkpost, I use the following:

v=spf1 mx a include:sparkpostmail.com ~all

Then there's not too many DNS lookups.

But if I add hostgator's sending domain, I run into the too many DNS lookups. The code line looks like this:

v=spf1 mx a include:websitewelcome.com include:sparkpostmail.com ~all

To begin with, I sent with several SMTP services, which made it totally impossible to use SPF. Luckily, it turned out that Elasticemail didn't allow affiliate marketing, so I closed my account there.

But how do you handle the SPF? How can I avoid so many bouncing emails and failed SPF?

Which IPs do you really need? Once you have it boiled down, it is just a matter of notation.
Check if your MX and A are the same and/or already included in the other ranges, if so, skip those two (saves two lookups), or reduce to one if one and the same, and incl as IP (so replace "YourIPaddress" down there with the real IP), to avoid lookups
then try e.g.
v=spf1 ip4:YourIPaddress include:spf.websitewelcome.com include:spf1.websitewelcome.com include:sparkpostmail.com ~all
since the 'websitewelcome.com' incl a lot of google spf ranges, that you might not need.
Again, the above is just an example, scoop out exactly what you need and then test it

 

[Britt Malka]

Thank you for your reply.

I once found a place where I could check what those addresses really corresponded to, but I can't find it again. Why did you take spf and spf1.websitewelcome.com for example? Were they just some you guessed, or do you know how to drill down to the root of the included addresses?

Same question about MX and A - how do I know if I need them or not?

 

[frm.mwz]

Not sure what to make of your answer.

I once found a place where I could check what those addresses really corresponded to, but I can't find it again.

Just dig it out of the dns text records

Why did you take spf and spf1.websitewelcome.com for example?

Perhaps take a moment to thoroughly read my previous post.

Were they just some you guessed

No, see prev post, which explained it.

do you know how to drill down to the root of the included addresses?

Yes, see above.

Same question about MX and A - how do I know if I need them or not?

Explained in prev post.

After you go thoroughly through above and prev post, feel free to come back with specific questions.

 

[Britt Malka]

I had already read your post at least three times. Now I've read it three times more.

I still don't understand what you mean. It might be obvious to you, but to me it's not. One example:

Just dig it out of the dns text records

What do you mean by "dig it out"? Remove it? Or find it by using some skill I don't have by looking at the txt record? Perhaps "dig it out" is some kind of programmer jargon that programmers understand, but I don't. I have long hair, but I'm no programmer. Is that it?

Anyway, thanks for spending time writing to me. By the way, don't assume that because I don't understand what you're writing means that I haven't read what you've written. Many times even. I still don't understand it.

 

[frm.mwz]

go thorough, try google
https://www.google.com/search?q=Just+dig+it+out+of+the+dns+text+records
this will answer !dig! and !txt records!

I have long hair, but I'm no programmer.

My head hair is a bit shorter, but I am no programmer either!?!

Feel free to try another specific question (or more)!

 

[Britt Malka]

Thank you.

So "dig" is a Linux command. I found out after reading articles following your link. It only took me 30 minutes to figure that out.

I don't have Linux, but I assume SSL or something (not sure of the acronym) could do it, but we don't have that.

One article did a good job of explaining SPF and the other things. It recommended that I sent a test email to Gmail, which I did, and my SPF passed, both for the private email I sent, and for bulk email through MailWizz and Sparkpostmail.

So perhaps I should just stay happy with the 6% bounces I have, even though I know these people exist and their emails are valid, and I will have to add them back to my list manually when they are kicked off.

My head hair is a bit shorter, but I am no programmer either!?!

I wouldn't know, because you're not showing your face, are you?

 

[frm.mwz]

So "dig" is a Linux command. I found out after reading articles following your link. It only took me 30 minutes to figure that out.

try google more
https://www.google.co.uk/search?q=get+dns+txt+record

once you find the record for what u had (websitewelcome.com), u will see the others, then search those too, and you will see

I don't have Linux, but I assume SSL or something (not sure of the acronym) could do it, but we don't have that.

u can search also from within windows or from mac terminal

So perhaps I should just stay happy with the 6% bounces I have, even though I know these people exist and their emails are valid, and I will have to add them back to my list manually when they are kicked off.

no, keep at it, just ask specific questions, here or google, and then put the info together
(the reason why there is no direct ready-made answer, is, that i do not have all data (even though i could assume something), but also privacy, so feel free to PM the data to get the simplified spf record)

I wouldn't know, because you're not showing your face, are you?

beautiful faces can be misleading, facts stand the test of time

 

[Humphrey Dumfries]

This error is not as bad as it sounds and in my experience will not affect delivery. It's a technical limitation built into SPF. If you're mailing from a dedicated IP, the easy alternative would be to hard code your IP address like:

v=spf1 mx a ip4:192.168.0.1 ~all

If it's not a dedicated IP, you may be coming from a range, in which case you can make it:

v=spf1 ip4:192.168.0.1/16 ~all

which would allow any IP address between 192.168.0.1 and 192.168.255.255.

The easiest place to find your IP is to send yourself some messages at Gmail. When you receive them, open the message, and click Show Original from the options. In there, you'll see a few IP addresses, but you're looking for the one in a statement like:

Received: from smtp-soi-g13-137.aweber.com (smtp-soi-g13-137.aweber.com. [204.194.223.137])

Send yourself a few tests and see if that IP changes. If it does, include the others individually. You can include as many IP addresses as you want in an SPF record. It's the domain lookups (specifically, the additional lookups at sparkhostmail) that it's objecting to here.

www.MxToolbox.com is a very good resource in the authentication arena.