Spf neutral with cloudflare

Hello,

After setting dns of cloudflare on my domain, I have a spf neutral warning in emails:

spf=neutral (google.com: 212.227.126.133 is neither permitted nor denied by best guess record for domain of

Here is my spf config:
v=spf1 mx a include:_spf.perfora.net include:_spf.kundenserver.de include:servers.mcsv.net ~all

What’s wrong?

Thanks!

The a clause won’t work with Cloudflare since Cloudflare proxies incoming requests, but your outbound mail still comes from the origin IP.

The mx clause could work, but only if you receive mail through the same server that you send from.

What’s the domain? It might be easier for me to run a could checks with the real name rather than doing it synthetically from the record.

Hi thedaveCA,

the domain its “terranovacnc.com”, using 1AND1 mail servers.

This is what I have now:
v=spf1 mx a include:_spf.perfora.net include:_spf.kundenserver.de include:servers.mcsv.net include:mout.kundenserver.com ~all

Including the name servers from ionos ips:

I’m so desperate with that :frowning:

You are setting your SPF policy in the legacy SPF RR type. This is no longer valid, and your SPF policy needs to be in a TXT record.

Hello Michael,

Could you write the txt record I need to set?

I created a new txt record, with this:
v=spf1 mx a include:_spf.perfora.net include:_spf.kundenserver.de include:servers.mcsv.net include:mout.kundenserver.com ~all

And deleted the SPF record, do I have to change something else in txt record?

Now I got a “PASS” spf in gmail with this, but don’t know if I should change something in actual txt record.

I would really appreciate it :slight_smile:

Thanks

The record is failing validation because there is no policy for mout.kundenserver.com. Once that is removed the record will probably validate successfully.

What goes in your SPF is directly related to the IP addresses and services that you send email from, so only you can reliably write a good SPF record. You should include only those hosts that you send mail from. You should investigate DKIM and DMARC also, as combined with SPF they are designed to ensure that only your authorised email servers can send email that claims to come from your domain.

A service like https://dmarcian.com is useful in gathering reports and gradually increasing the authority of your email domain.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.