# SPF and Postfix mail

## musicweb

Can anyone tell me how to set up SPF and Postfix?

I installed the libspf2 package and also a few perl modules that

are supposed to be there for SPF to work.

I get a reject message from another server I'm sending an email to:

```
The administrator of the domain wm-mw.org may have incorrectly configured its SPF record. This is a common cause of mistakes.

Here's what you can do: Contact the wm-mw.org postmaster and tell them that they need to change wm-mw.org's SPF record so that it authorizes smtp-o-1.netrevolution.com. For example, they could change the record to something like

v=spf1 a ptr a:smtp-o-1.netrevolution.com -all

If you refer your postmaster to this web page, they should be able to solve the problem.
```

I don't see anywhere in Postfix configuration about setting up SPF.

I use Webmin to manage my server...

----------

## JC99

I'm assuming you are using BIND for your DNS. If so can you post the SPF record(s) you have added to your zone/hosts file for your domain.

----------

## musicweb

Thanks, but I'm still not sure what you mean.

Should I add that domain to the Mail Server Records area?

----------

## papahuhn

What exactly do you want to do with your mailserver? Do you run a mailing list or try to send emails on wm-mw.org's behalf? Is wm-mw.org your domain? If not, you cannot configure the domain's SPF record.

----------

## musicweb

Yes, we are wm-mw.org... and we own our servers. We never had a problem til

now like this. I guess SPF is becoming more common now.

Anyway, we try to send email to certain people and we get the error message sent

back to us. The emails are sent to them from our server using Postfix.

I see under BIND there is a Mail Server category under localhost.

In there is a Add Mail Server Record area. Is that where I add the domain we

are trying to send to?

No, we are not a mailing list company. Just an affiliate program for musicians.

----------

## papahuhn

Well, then this is not a postfix issue, at least not your postfix.

smtp-o-1.netrevolution.com tried to send an email claiming it came from wm-mw.org, though your SPF record [1] states, that netrevolution's smtp is not authorized to do this.

This happens, when your mailserver tries to send an email to, lets say user@netrevolution.com, and this email address is an alias for, lets say user@otherdomain.com. Netrevolutions smtp then tried to forward this email, but kept the original "MAIL FROM: whatever@wm-mw.org". otherdomain.com's smtp then checked your SPF record [1] and decided to reject the email, because smtp-o-1.netrevolution.com is not authorized to send emails with an envelope FROM address which includes your domain. 

It is a matter of debate which party has a misconfiguration here. Maybe netrevolution shouldn't use your domain as MAIL FROM address. Personally, I think, that otherdomain.com's mailserver is too strict by rejecting those emails directly. The only thing you can do, without debating with netrevolution's and/or otherdomain's IT staff, is to loosen up your SPF record, which is a nameserver issue, not postfix.

[1] wm-mw.org descriptive text "v=spf1 a ptr -all"

----------

## musicweb

I'm still confused... so I'm going to turn this over to someone else in Canada.

No idead where to add records or loosen things up. Thanks for help anyway.

----------

## papahuhn

musicweb, who is responsible for your domain? Isn't there a Webmin panel which allows you to configure wm-mw.org's DNS settings?

----------

## musicweb

Sorry I got frustrated....

Yes, I was in Webmin this morning and looking at the BIND DNS server.

I got as far as seeing Add Sender Permitted From Record under localhost.

I just have no idea what to enter there.

This is a screenshot:

http://wm-mw.org/image2.jpeg

----------

## papahuhn

Hi, "localhost" does not sound right, and +all does not match "-all" in the query result I get for your domain [1].

Your domain is handled by the nameservers ns1.no-ip.com to ns5.no-ip.com, so you seem to have an account at no-ip.com? If you don't know, ask the one who registered your domain. It is those nameservers which need to be configured appropriately.

[1] wm-mw.org descriptive text "v=spf1 a ptr -all"

----------

## musicweb

Yes we have a no-ip account, so that's probably it. 

I'll have our guy in Canada check it out. Thanks.

----------

