[bug]: Auto-Generated SPF records in DNS causing authentication and failed mail

[wayneoutthere]

What happened?

I copied faithfully all the DNS records into my cloudflare account from the DNS records automatically generated by Stalwart. The two subject entries are:

1. v=spf1 mx ra=postmaster -all
2. v=spf1 a ra=postmaster -all

My first few test emails failed and the return reply was:

rejected command 'RCPT TO:[<email@email>]'' with code 550 (0.0.0) 'Unauthenticated mail not allowed from this range')

After some searching and using some mail tools it continually said I was failing because of having 'multiple spf records'

I am now combining the above two records as follows and testing and will update thread if this fixes:

v=spf1 a mx ra=postmaster -all

If this is indeed the case, then it would be nice to fix this so it combines both records, or, has a kind of notification that this must be done manually.

How can we reproduce the problem?

1. management
2. Domain
3. DNS records
4. Inspect list of Stalwart-generated records to see the two SPF records generated

Version

v0.10.x

What database are you using?

RocksDB

What blob storage are you using?

RocksDB

Where is your directory located?

None

What operating system are you using?

Linux

Relevant log output

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[mdecimus]

I suggest you use an online tool such as mail-tester.com to debug your DMARC, SPF and DKIM records. Beware that some tools do not support the ra= flag and wrongly report that the record is incorrect.

[wayneoutthere]

Thanks for idea. I already did that. the issue is that there are two (2) entries generated. So when you add both of these entries to DNS records (I think?) the rcpt sees two records and downgrades the sender for having two. The tools I were using were all saying 'Hey! You have two headers, not one! that's bad!" So my point was not so much the content of the headers but the number of them...

[mdecimus]

Do you mean DKIM records? It is perfectly valid to have two DKIM signatures in the email, if the tool you are using says otherwise then they are wrong.
If you mean SPF records, you need one for your domain and another one for your mail server. The DNS entries generated by Stalwart already include these two SPF records.

[wayneoutthere]

No, what I mean is exactly what i wrote above. You can see my copy/paste of the two records generated by Stalwart. I inserted these two records into cloudflare. I'm not sure where these 'two' records are being generated (stalwart or cloudflare) but the tool is saying that multiple SPF is bad. So, just to confirm what I've been doing is this:

1. copy SPF record # 1 (from Stalwart-generated) and pasting into CF
2. copy SPF record # 2 (from Stalwart-generated) and pasting into CF
3. send email
4. results are saying 'multiple spf records detected. bad.'

[oddlama]

You probably have stalwart running on example.com instead of mail.example.com right? In that case the generated DNS records by stalwart will be incorrect since stalwart assumes you run it under a subdomain. In this case you actually need two spf records, one for the MX on the main domain example.com and one on the subdomain mail.example.com to allow the A record. But they are under different zones. If you run stalwart on the main domain, it will falsely output two records for example.com. What you should do is merge them and use a single record v=spf1 mx a ra=postmaster -all

[wayneoutthere]

Oh.... wow. This definitely could be it indeed! Thanks for your response and I will dig into this soon. I am struggling with the 'subdomain-dns-certificate' process of all this in my learning but this definitely seems to be the root since all my examples are example.com because i wanted the email addresses to be user@example.com and did not have the experience to figure out how to do that with a subdomain (yet). Thanks again and I will mark as 'answer' as soon as I can find time to test.

[oddlama]

Hosting stalwart as mail.example.com would not necessarily make your email addresses xyz@mail.example.com. This only depends on where you set the mx record (and which domain you add in the UI). Usually, people use mail.example.com for the website and services like imap, smtp, etc. and it is also the identity used by your mailserver when it communicates with other mail servers. Having it as a subdomain can make changing servers simpler since you have dedicated records for just the mail portion.

But just for the record, this is still a bug in stalwart. It should not generate invalid output for valid configurations.

[wayneoutthere]

fantastic explanation. If anyone knows of a serious resource that teaches about this kind of thing, great, otherwise, I'll likely blog my journey and maybe post it back to this thread if I end up succeeding and understanding and being able to explain it. Your reply very much appreciated and bug noted as well