Consistently getting None (no SPF record) even when SPF record is defined

Question

I am trying to create an SPF record for my domain and enable my mail server to evaluate it. I am using Postfix on the mail server and policyd-spf (Python) to evaluate the records. Currently, I have an SPF record published for my domain over my private DNS server, and you can see the record on the server with a nslookup command.

The problem I'm currently having is that regardless of the SPF record that I publish, policyd-spf is returning "None (no SPF record)" in the email header. I am looking for either a pass or fail so that I can fix the record accordingly, but it doesn't seem to be evaluating it at all at this point. Any help will be much appreciated!

I've tried to publish several different records (at different times) for both web1 and mail.example.com in several different formats already (shown below), but I think it's a configuration issue. The IP address "XXX.XX.XX.XXX" points to the "web1" host, and the address "YYY.YY.YY.YY" points to the "mail.example.com" host, which is the mail server.

mail.example.com. IN TXT "v=spf1 include:mail.example.com -all"

mail.example.com. IN TXT "v=spf2.0/pra include:mail.example.com -all"

mail.example.com. IN TXT "v=spf1 a ip4:XXX.XX.XX.XXX -all"

mail.example.com. IN TXT "v=spf2.0/pra a ip4:XXX.XX.XX.XXX -all"

example.com. IN TXT "v=spf1 -all"

mail.example.com. IN TXT "v=spf1 a include:web1 -all"

mail.example.com. IN TXT "v=spf1 a ip4:YYY.YY.YY.YY -all"

Here is the log output when I try to send an email:

Apr  5 09:17:33 mail postfix/smtpd[9114]: connect from web1[XXX.XX.XX.XXX]
Apr  5 09:17:33 mail policyd-spf[9119]: Starting
Apr  5 09:17:33 mail policyd-spf[9119]: Read line: "request=smtpd_access_policy"
Apr  5 09:17:33 mail policyd-spf[9119]: Read line: "protocol_state=RCPT"
Apr  5 09:17:33 mail policyd-spf[9119]: Read line: "protocol_name=ESMTP"
Apr  5 09:17:33 mail policyd-spf[9119]: Read line: "client_address=XXX.XX.XX.XXX"
Apr  5 09:17:33 mail policyd-spf[9119]: Read line: "client_name=web1"
Apr  5 09:17:33 mail policyd-spf[9119]: Read line: "reverse_client_name=web1"
Apr  5 09:17:33 mail policyd-spf[9119]: Read line: "helo_name=web1"
Apr  5 09:17:33 mail policyd-spf[9119]: Read line: "[email protected]"
Apr  5 09:17:33 mail policyd-spf[9119]: Read line: "[email protected]"
Apr  5 09:17:33 mail policyd-spf[9119]: Read line: "recipient_count=0"
Apr  5 09:17:33 mail policyd-spf[9119]: Read line: "queue_id="
Apr  5 09:17:33 mail policyd-spf[9119]: Read line: "instance=239a.5ca7556d.9e4db.0"
Apr  5 09:17:33 mail policyd-spf[9119]: Read line: "size=0"
Apr  5 09:17:33 mail policyd-spf[9119]: Read line: "etrn_domain="
Apr  5 09:17:33 mail policyd-spf[9119]: Read line: "stress="
Apr  5 09:17:33 mail policyd-spf[9119]: Read line: "sasl_method="
Apr  5 09:17:33 mail policyd-spf[9119]: Read line: "sasl_username="
Apr  5 09:17:33 mail policyd-spf[9119]: Read line: "sasl_sender="
Apr  5 09:17:33 mail policyd-spf[9119]: Read line: "ccert_subject="
Apr  5 09:17:33 mail policyd-spf[9119]: Read line: "ccert_issuer="
Apr  5 09:17:33 mail policyd-spf[9119]: Read line: "ccert_fingerprint="
Apr  5 09:17:33 mail policyd-spf[9119]: Read line: "encryption_protocol="
Apr  5 09:17:33 mail policyd-spf[9119]: Read line: "encryption_cipher="
Apr  5 09:17:33 mail policyd-spf[9119]: Read line: "encryption_keysize=0"
Apr  5 09:17:33 mail policyd-spf[9119]: Read line: ""
Apr  5 09:17:33 mail policyd-spf[9119]: Found the end of entry
Apr  5 09:17:33 mail policyd-spf[9119]: Config: {'Mail_From_reject': 'Fail', 'Void_Limit': 2, 'Lookup_Time': 20, 'HELO_reject': 'Fail', 'Header_Type': 'SPF', 'defaultSeedOnly': 1, 'PermError_reject': 'False', 'debugLevel': 4, 'skip_addresses': '127.0.0.0/8,::ffff:127.0.0.0/104,::1', 'TempError_Defer': 'False'}
Apr  5 09:17:33 mail policyd-spf[9119]: Cached data for this instance: []
Apr  5 09:17:43 mail policyd-spf[9119]: spfcheck: pyspf result: "['None', '', 'helo']"
Apr  5 09:17:43 mail policyd-spf[9119]: None; identity=helo; client-ip=XXX.XX.XX.XXX; helo=web1; [email protected]; [email protected]
Apr  5 09:17:43 mail policyd-spf[9119]: Header type: SPF; Authres ID (for AR): None
Apr  5 09:17:43 mail policyd-spf[9119]: spfcheck: pyspf result: "['None', '', 'mailfrom']"
Apr  5 09:17:43 mail policyd-spf[9119]: None; identity=mailfrom; client-ip=XXX.XX.XX.XXX; helo=web1; [email protected]; [email protected]
Apr  5 09:17:43 mail policyd-spf[9119]: Header type: SPF; Authres ID (for AR): None
Apr  5 09:17:43 mail policyd-spf[9119]: Action: prepend: Text: Received-SPF: None (no SPF record) identity=mailfrom; client-ip=XXX.XX.XX.XXX; helo=web1; [email protected]; [email protected]
Apr  5 09:17:43 mail postfix/smtpd[9114]: CBCB723ADE: client=web1[XXX.XX.XX.XXX]
Apr  5 09:17:43 mail postfix/cleanup[9133]: CBCB723ADE: message-id=<310009219.518.1554470379582@web1>
Apr  5 09:17:43 mail postfix/qmgr[9111]: CBCB723ADE: from=<[email protected]>, size=3718, nrcpt=1 (queue active)
Apr  5 09:17:43 mail postfix/smtpd[9114]: disconnect from web1[XXX.XX.XX.XXX]
Apr  5 09:17:43 mail postfix/local[9134]: CBCB723ADE: to=<[email protected]>, relay=local, delay=10, delays=10/0.01/0/0.02, dsn=2.0.0, status=sent (delivered to maildir)
Apr  5 09:17:43 mail postfix/qmgr[9111]: CBCB723ADE: removed

Here is my postconf -n output:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $mydomain, $myhostname, localhost.$mydomain, localhost
mydomain = example.com
myhostname = mail.example.com
mynetworks = YYY.YY.YY.YY, 127.0.0.0/8 [::1]/128
mynetworks_style = subnet
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_client_restrictions = check_client_access hash:/etc/postfix/access
smtpd_recipient_restrictions = check_policy_service unix:private/policyd-spf,   permit_sasl_authenticated,      reject_unauth_destination,      warn_if_reject
unknown_local_recipient_reject_code = 550

And here is my policyd-spf.conf file:

#  For a fully commented sample config file see policyd-spf.conf.commented

debugLevel = 4
defaultSeedOnly = 1

HELO_reject = Fail
Mail_From_reject = Fail

PermError_reject = False
TempError_Defer = False

skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1

Answer 1

1. im new to spf but the 1st line creates an endlessloop because it includes itself.

mail.example.com. IN TXT "v=spf1 include:mail.example.com -all"

2. i'm curious:

   include:web1

web1 is not a FQDN but includes MUST BE FQDN IIRC?

PS: More people will find your posting so please post your solution or delete it so people find useful informations instead of orphaned questions

Answer 2

SPF stands for Sender Policy Framework, as specified in RFC 7208. This is setup with DNS TXT records prefixed with v=spf1. Confusingly Microsoft pushed for SenderID which never really caught on for various reasons, see link, but has prefixes starting v=spf2.0. SenderID is effectively dead, so focus on SPF as in RFC 7208 and use the prefix v=spf1.

The other thing that needs clarification is what an SPF record means: It provides a list of authorized systems that may send email for the domain. You therefore setup a record for the domain, example.com in your question, and not mail.example.com (which would be [one of] the authorized sending systems for the domain).

Putting this together, a possible SPF record would be,

example.com. IN TXT "v=spf1 a:mail.example.com -all"

finally note that some of your proposed solutions have include:mail.example.com, but an include: entry is to include/insert the SPF TXT record found at the given DNS name, and not the machine by that name. a:mail.example.com is likely what you mean instead.