Discourse email fails SPF checks

(Philip Potter) #1

My discourse emails keep getting marked as spam, and when I investigated I realised it was failing SPF.

SPF: FAIL with IP 2600:3c01:0:0:f03c:91ff:fe40:4ef3

The SPF record that I see is:

"v=spf1 ip4: -all"

Is it just a matter of adding the IPv6 records too? (I’m not an expert in these things, this is just a guess)

(Gabriel Gonzalez) #2

@philandstuff: I’m also not an expert in these things :slight_smile:

That IPv6 address does not look correct to me. None of the *.dhall-lang.org services, including Discourse and the mail server, are configured to use IPv6 and I don’t believe that IPv6 address you listed is for dhall-lang.org:

$ curl https://[2600:3c01:0:0:f03c:91ff:fe40:4ef3]/
curl: (7) Couldn't connect to server

$ host dhall-lang.org
dhall-lang.org has address
dhall-lang.org mail is handled by 10 mail.dhall-lang.org.

$ host discourse.dhall-lang.org
discourse.dhall-lang.org has address
discourse.dhall-lang.org mail is handled by 10 mail.dhall-lang.org.

$ host mail.dhall-lang.org
mail.dhall-lang.org has address

Do you have any idea why the source IP address might be wrong? It might be specific to your mail setup. As far as I can tell you should not be receiving mail from our Discourse with an IPv6 source address at all and is the correct address to specify in the SPF record.

(Philip Potter) #3

Huh, that’s weird. I can confirm I have received other emails from the correct IPv4 address, which passed SPF and didn’t get marked as spam. I can forward one of the failing emails with all headers to you if that would help?

I did a reverse DNS lookup on the IPv6 address, it seems to be in a range assigned to Linode. I don’t know if that’s significant.

(Gabriel Gonzalez) #4

Yeah, if you could forward to me one email with the IPv6 address and one email with the IPv4 address I can take a look at them and see if anything jumps out.

Also, I do use Linode for hosting dhall-lang.org

(Philip Potter) #5

(Posting for visibility: I sent two emails to Gabriel; one passing and one failure)

(Gabriel Gonzalez) #6

@philandstuff: So I double-checked Linode and apparently the server does have an IPv6 address that matches what you found. I’ve updated all the relevant DNS entries to also work with that IPv6 address so now you should not get an SPF rejection any longer. Specifically:

$ host dhall-lang.org
dhall-lang.org has address
dhall-lang.org has IPv6 address 2600:3c01::f03c:91ff:fe40:4ef3
dhall-lang.org mail is handled by 10 mail.dhall-lang.org.

$ dig -t TXT dhall-lang.org

; <<>> DiG 9.8.3-P1 <<>> -t TXT dhall-lang.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20960
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;dhall-lang.org.			IN	TXT

dhall-lang.org.		300	IN	TXT	"v=spf1 ip4: ip6:2600:3c01::f03c:91ff:fe40:4ef3 -all"

;; Query time: 385 msec
;; SERVER: 2001:558:feed::1#53(2001:558:feed::1)
;; WHEN: Tue May  7 19:35:29 2019
;; MSG SIZE  rcvd: 110

… and now all of the Dhall infrastructure is IPv6-capable as a result of these changes