Symptoms
-
On Plesk for Linux, SPF check fails if the SPF record in the DNS zone of the sender’s domain is too long (more than 5000 symbols), the following error can be seen in the log file
/var/log/maillog
:plesk postfix/smtpd[23645]: connect from unknown[203.0.113.2]
plesk postfix/smtpd[23645]: 35CF7140344: client=unknown[203.0.113.2]
plesk postfix/cleanup[23649]: 35CF7140344: message-id=<[email protected]>
plesk spf[23651]: Starting the spf filter…
plesk spf[23651]: SPF result: fail
plesk spf[23651]: SPF status: REJECT
plesk psa-pc-remote[21019]: REJECT during call ‘spf’ handler
plesk postfix/cleanup[23649]: 35CF7140344: milter-reject: END-OF-MESSAGE from unknown[203.0.113.2]: 5.7.23 SPF validation failed. : Reason: mechanism; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<example.com>
plesk spf[24253]: Starting the spf filter…
plesk spf[24253]: Error code: (26) DNS lookup failure
plesk spf[24253]: Failed to query MAIL-FROM: Temporary DNS failure for ‘example.com’.
plesk spf[24253]: SPF result: tempfail
Cause
Product issue:
-
#PPPM-8103 "Plesk can now check incoming mail by processing SPF TXT records that contain up to 1024 mechanisms."
Fixed in:- Plesk Obsidian 20 April 2021 (Linux)
Resolution
Workaround
Use one of the solutions:
Solution 1
In the DNS zone of the sender domain, split the SPF record into shorter records (e.g. with the hostnames spf1.example.com, spf2.example.com, etc.), and include those shorter records to the main SPF record.
Solution 2
-
Go to Tools & Settings > Mail Server Settings.
-
Enable the option Enable SPF spam protection to check incoming mail and set the option SPF checking mode to Only create Received-SPF headers, never block.
-
Enable both options under DKIM spam protection.
-
Enable the option Enable DMARC to check incoming mail.
This way, DMARC will make decisions relying on SPF and DKIM status and the emails will not be dropped because of SPF problems but SPF status will still be included in the DMARC policy check.