With valid SPF my mail header becomes huge -> high spamassasin score

email spam spf smtp-headers

I have a dedicated server with a survey system running on a subdomain. The parent domain is hosted on another server. I send email via google apps.

Reverse DNS is correct.

Without SPF og DKIM, the very smart '[email protected]' returns a spamassasin score of ca. 0.

But with a passing SPF record and this summary

SPF check:          pass
DomainKeys check:   neutral
DKIM check:         neutral
Sender-ID check:    pass
SpamAssassin check: ham

I get a quite high spamassasin score of ca. 3 - due to the header being very big:

pts rule name              description
---- ---------------------- --------------------------------------------------
3.1 SINGLE_HEADER_2K       A single header contains 2K-3K characters
-0.7 RCVD_IN_DNSWL_LOW      RBL: Sender listed at http://www.dnswl.org/, low
                       trust

So my question is: It seems from this that I should delete the spf record? since a large header is deemed worse then a valid spf?

Or is it my spf which is wrong?

v=spf1 a mx ptr ip4:xxx.xx.xxx.xx mx include:_spf.google.com ip4:yy.yy.yy.yyy ~all

xxx IP is for the server with the tld yyy IP is the server where the subdomain is hosted.

Below a part of the header:

----------------------------------------------------------
SPF check details:
----------------------------------------------------------
Result:         pass
ID(s) verified: [email protected]
DNS record(s):
mydomain.dk. SPF (no records)
mydomain.dk. 400 IN TXT "v=spf1 a mx ptr ip4:xxx.xx.xxx.xx mx include:_spf.google.com ip4:yy.yy.yy.yyy ~all"
mydomain.dk. 360 IN A xxx.xx.xxx.xx
mydomain.dk. 41895 IN MX 10 aspmx.l.google.com.
mydomain.dk. 41895 IN MX 20 alt2.aspmx.l.google.com.
mydomain.dk. 41895 IN MX 20 alt1.aspmx.l.google.com.
mydomain.dk. 41895 IN MX 30 aspmx2.googlemail.com.
mydomain.dk. 41895 IN MX 30 aspmx3.googlemail.com.
mydomain.dk. 41895 IN MX 30 aspmx4.googlemail.com.
mydomain.dk. 41895 IN MX 30 aspmx5.googlemail.com.
aspmx.l.google.com. 217 IN A 74.125.115.27
alt2.aspmx.l.google.com. 204 IN A 209.85.229.27
alt1.aspmx.l.google.com. 248 IN A 209.85.229.26
aspmx2.googlemail.com. 1036 IN A 74.125.43.27
aspmx3.googlemail.com. 1658 IN A 74.125.127.27
aspmx4.googlemail.com. 863 IN A 209.85.229.27
aspmx5.googlemail.com. 921 IN A 74.125.157.27
174.160.85.209.in-addr.arpa. 86400 IN PTR mail-gy0-f174.google.com.
mail-gy0-f174.google.com. 86400 IN A 209.85.160.174
mydomain.dk. 41895 IN MX 10 aspmx.l.google.com.
mydomain.dk. 41895 IN MX 20 alt2.aspmx.l.google.com.
mydomain.dk. 41895 IN MX 20 alt1.aspmx.l.google.com.
mydomain.dk. 41895 IN MX 30 aspmx2.googlemail.com.
mydomain.dk. 41895 IN MX 30 aspmx4.googlemail.com.
mydomain.dk. 41895 IN MX 30 aspmx5.googlemail.com.
mydomain.dk. 41895 IN MX 30 aspmx3.googlemail.com.
aspmx.l.google.com. 217 IN A 74.125.115.27
alt2.aspmx.l.google.com. 204 IN A 209.85.229.27
alt1.aspmx.l.google.com. 248 IN A 209.85.229.26
aspmx2.googlemail.com. 1036 IN A 74.125.43.27
aspmx4.googlemail.com. 863 IN A 209.85.229.27
aspmx5.googlemail.com. 921 IN A 74.125.157.27
aspmx3.googlemail.com. 1658 IN A 74.125.127.27
_spf.google.com. SPF (no records)
_spf.google.com. 206 IN TXT "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ?all"

Again I have crossed out my own IP's and the rest i guess is googles?

What should I do now? Should I delete the spf record, or can I change it somehow to get a smalle header, that still works?


Solution 1:

SPF shouldn't be causing a header to be added. Something else should be doing this. Look at your headers for some segment where there are lots of lines in a row which are indented (continuation lines). This will be your problem header.

As you are using ~all, your SPF record won't be that effective. You are better off coming up with a policy which wil enable you to end your spf record with '-all'. See my comments on Securing your Email Reputation with SPF.

Solution 2:

You do not need the full verbose list of all mail exchangers - You probably have a higher-than-necessary level of debugging set somewhere that is causing some part of your mail chain to include this.

Determine which part of your mail chain is adding this header.
Then make it stop. :-)

Related

detect weak encryption and outdated protocols
What is the common name for amateurs who maintain and repair automobiles, particularly their own automobile?
Is it possible to remove part of a path in HAProxy in a redirect?
Determining cause of TCP/IP connect issue without traceroute
Why does Debian squeeze forget its static IP address and seek a DHCP lease?
Can Importance Be Different?
Does IPMI always include KVM?
Sealing Tiles and Cable routes in datacenter fire supression
What is the Microsoft Loopback Adapter used for?
What are some ways to switch conversation topics?
Cron job with $(date) command and redirect won't run
PATH variable and quotation marks (windows)