2
SPF problem with DMARC Director/PowerSPF
Question asked by AWRData - 3/7/2025 at 7:49 PM
Unanswered
This is not specifically for or about SmarterMail, since I am using sendmail as my gateways, just that I am wondering if any of my fellow SmarterMail admins are seeing this problem from users of this service.

There is a service called "DMARC Director" which apparently provides SPF records for customers to include in their SPF.  It uses an IP macro under what appears to be a unique tokenized subdomain to macrospf.director.tangent.com.  The parent service being director.tangent.com.

However, my mail system is rejecting these customer domains due to a failure of the DMARC Director (Tangent) DNS.  Bind throws this error:

DNS format error from [redacted]#53 resolving [redacted].macrospf.director.tangent.com/NS for 127.0.0.1#55922: Name macrospf.powerspf.com (SOA) not subdomain of zone macrospf.director.tangent.com -- invalid response

This is caused by an invalid SOA.  From what I can tell, the "DMARC Director" is a service of "PowerSPF" or vice-versa.  Whichever the case my be, they appear to be using wildcards in their DNS to alias macrospf.director.tangent.com to macrospf.com, which is a lazy way to make things work and is causing my SPF lookups to fail, thus deferring (4xx) those emails.

From all the work looking into this, it appears the proper SPF include for these affected domains is [token].powerspf.com.

Has anyone here using SmarterMail as a gateway or for direct delivery run into this service and its associated problem customers?  At this point I have had to rewrite part of the spf-milter to allow whitelisting domains from SPF checks -- which opens the possibility for spoofing (except these domains use ~all, anyway,) and is completely non-standard.

1 Reply

Reply to Thread
0
Douglas Foster Replied
Belatedly, I think I can comment on your question.
A domain owner's SPF needs to include an IP list for each of its vendors, but the list itself is the same for every client.   So the error is almost certainly related to including [redacted]. in the include filename.   But the domain owner needs to contact the PowerSPF vendor to resolve the configuration problem.  Since your post is old, hopefully that has already been fixed.

When evaluating SPF, a DNS error like this should be trapped and return a result of TempError.  For most installations, this is sufficient to be allowed because it is not a hard Fail.

If there is ever a question about whether your SPF parser is returning correct results, you can check it at MXtoolbox.com.   In their "Supertool", the syntax is SPF:domain:IPaddress

I think you asked the question over concern that your client's error in its SPF configuration might be causing delivery problem for messages that you send for that same domain.    Your best defense against that is to ensure that all of your outbound mail contains a DKIM signature that matches the From domain.  But that also requires a bit of cooperation from your client, to configure its DNS entries correctly.

Reply to Thread

Enter the verification text