Postfix outbound mail not passing SPF checks for gmail

Scenario

I’ve had my mail with mediatemple for years but now that godaddy acquired them they have cut off my outbound mail and when I call in they are pushing microsoft 360 SO I’ve decided to roll my own mail.

I have postfix setup with spf and all seems well except that gmail shuts down my test emails every time:

<x@gmail.com>: host gmail-smtp-in.l.google.com[74.125.137.27]
    said: 550-5.7.26 This mail is unauthenticated, which poses a security risk
    to the 550-5.7.26 sender and Gmail users, and has been blocked. The sender
    must 550-5.7.26 authenticate with at least one of SPF or DKIM. For this
    message, 550-5.7.26 DKIM checks did not pass and SPF check for
    [ve.x.vesrv.com] 550-5.7.26 did not pass with ip: [x.x.x.x]. The
    sender should visit 550-5.7.26
    https://support.google.com/mail/answer/81126#authentication for 550 5.7.26
    instructions on setting up authentication.
    y14-20020a056a001c8e00b0067f03c85d73si2102348pfw.115 - gsmtp (in reply to
    end of DATA command)

Question

Mail gets delivered to my own domain, but how can I get it delivered to my gmail address ?


more details

  • 72.x.x.x is my ubuntu server, which is under the umbrella of vserv.com
  • x.com is my domain

my dns TXT record is
v=spf1 ip4:72.x.x.x include:ve.x.vesrv.com include:_spf.google.com -all

and my main.cf is

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
append_dot_mydomain = no
#delay_warning_time = 4h
readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = ve.6ryrfw2g.vesrv.com
#myhostname = mail.x.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = ve.x.vesrv.com, localhost.x.vesrv.com, , localhost
#mydestination = $myhostname, x.com, localhost.localdomain, localhost
#mydestination = localhost.$mydomain, localhost, $myhostname
#masquerade_domains = x.com
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = loopback-only
inet_protocols = all

### custom ###

#spf

policy-spf_time_limit = 3600s

smtpd_recipient_restrictions =
     ...
     permit_sasl_authenticated
     permit_mynetworks
     reject_unauth_destination
     check_policy_service unix:private/policy-spf
     ...
Asked By: Jacksonkr

||

After getting SPF working, I started getting a new response from gmail

<xx.xx@gmail.com>: host gmail-smtp-in.l.google.com[142.251.2.26]
    said: 550-5.7.25 [72.x.x.x] The IP address sending this message does not
    have a PTR 550-5.7.25 record setup, or the corresponding forward DNS entry
    does not point 550-5.7.25 to the sending IP. As a policy, Gmail does not
    accept messages from 550-5.7.25 IPs with missing PTR records. Please visit
    550-5.7.25  https://support.google.com/mail/answer/81126#ip-practices for
    more 550 5.7.25 information.
    q25-20020a635059000000b0055384329027si1633035pgl.566 - gsmtp (in reply to
    end of DATA command)

As this is an error about reverse DNS not matching I ultimately had to contact GoDaddy, the owner of my ip block, and request that they set up a reverse dns PTR record for my specific IP.

Answered By: Jacksonkr
Categories: Answers Tags: , , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.