Homer Wilson Smith wrote:
dig thumpernet.com mx shows mail.thumpernet.com at 71.176.110.29
which is correct.
dig thumpernet.com txt shows "v=spf1 mx -all" which is also
correct.
...
>
SPF fail (Mechanism '-all' matched): HELO/EHLO: mail.thumpernet.com Sep
27 14:16:58 smtp0 postfix/policy-spf[2492]: handler
sender_policy_framework: 550 Please see
http://www.openspf.org/Why?s=helo;id=mail.thumpernet.com;ip=71.176.110.29;r=smtp0.lightlink.com
Sep 27 14:16:58 smtp0 postfix/policy-spf[2492]: : Policy action=550
They are failing SPF on the HELO/EHLO hostname. They are correctly
announcing themselves as mail.thumpernet.com. However, they have defined
an SPF record for this hostname:
$ dig +short mail.thumpernet.com txt
"v=spf1 mx -all"
which essentially states "allow the MX for mail.thumpernet.com to send
mail from mail.thumpernet.com." Problem is, there's no MX for
mail.thumpernet.com:
$ dig +short mail.thumpernet.com mx
<nothing>
In other words, they have incorrectly assumed that the "mx" mechanism
would always refer to the domain name, rather than the host for which
the SPF record is defined. See,
http://www.openspf.org/FAQ/Common_mistakes
for more info. In particular, check the section titled, "Publish SPF
records for HELO names used by your mail servers." If you have any other
questions, please ask them on an SPF list.
