Overview
You may be experiencing issues with Sender Policy Framework (SPF) verification in Kerio Connect, and despite having correctly configured DNS and server settings, you are facing intermittent verification failures, and your outbound emails are incorrectly getting rejected by the recipient servers.
Solution
The issue was found to happen with a very specific SPF configuration, namely using the a:
mechanism followed by the domain names that you wish to allow, in conjunction with multiple IP addresses being used for the sending servers (we will use Google domain as a proof of concept)
v=spf1 mx a:google.com -all
When using a:
(A record with specific hardcoded domain) in SPF records, both forward (A record) and reverse DNS lookups need to match (PTR record). The sending IP's each needs to have a PTR record that resolves back to google.com.
If only one of the listed IP's in the A record is missing the PTR record to map it back to domain in question, the email delivery for that IP will fail.
Therefore, if you are facing such an issue, you have 2 options:
- Add an
ip4:
mechanism mechanism to explicitly allow these IPs in your SPF record. For example:
Note: This option is more straightforward but requires manual updates if IPs change.v=spf1 mx ip4:172.253.63.100 ip4:172.253.63.101 ip4:172.253.63.102 ip4:172.253.63.113 ip4:172.253.63.138 ip4:172.253.63.139 -all
- Verify or fix the reverse DNS entries for these IPs to ensure they properly resolve back to their respective hostnames. You can review Essential DNS Records for Mail Delivery and Spam Protection in Kerio Connect, as this is the preferred method.
Summary
SPF verification failures in Kerio Connect can be caused by a reverse DNS (PTR record) issue. This can be resolved by either adding an `ip4:` mechanism to the SPF record or verifying and fixing the reverse DNS entries for the IPs (preferred)
FAQ
-
What is a PTR record?
A PTR record, or Pointer Record, links an IP address to a host name. It is used in reverse DNS lookups. -
What is the `a:` mechanism in SPF records?
The `a:` mechanism in SPF records allows the domain's A or AAAA records to send mail. -
What is the `ip4:` mechanism in SPF records?
The `ip4:` mechanism in SPF records allows the specified IPv4 address to send mail.