Why is my SPF Record not working?

Solution 1:

You might want to suspect the MTA involved.

As far as I can tell, your SPF record is set up correctly. I sent a message to one of my addresses (Gmail) using a sender address from your domain ([email protected]). Gmail does evaluate SPF, but always delivers the message regardless. Here are the headers I got:

Received-SPF: fail (google.com: domain of [email protected] does not designate XXX.XXX.XXX.XXX as permitted sender) client-ip=XXX.XXX.XXX.XXX;
Authentication-Results: mx.google.com; spf=hardfail (google.com: domain of [email protected] does not designate XXX.XXX.XXX.XXX as permitted sender) [email protected]

My guess is that the servers for yahoo.co.jp aren't evaluating SPF correctly, but I don't have any email address with them, so I can't test it to make sure. Aside from that, you might be running into other MTA's that simply don't respect SPF hardfail, resulting in messages still getting delivered.

Solution 2:

Your SPF record is set to hard fail (using -all). However, you include '_spf.google.com' which is set to neutral fail (done by including ?all).

# host -t txt _spf.google.com
_spf.google.com descriptive text "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ?all"

Solution 3:

I believe I may see your problem. I assume by your spf record that this is a google domain and you are using them to send mail. Change your spf record from "-all" to "~all" - as I know that this can cause some issues. See here: http://www.google.com/support/a/bin/answer.py?answer=178723

And by the way Received-SPF: neutral means that server is neither permitted nor denied.