View Issue Details

IDProjectCategoryView StatusLast Update
0001554Main CAcert Websitemiscpublic2024-01-04 02:19
ReporterL10N Assigned To 
Status newResolutionopen 
PlatformDefaultOSanyOS Versionany
Summary0001554: Mail from domain [] fails to pass SPF checks
DescriptionEvery time I send an e-Mail to the cacert-support list, I get this answer: (see mail after the ----)
- is this a problem of us or of them?
- if it is from us, is a solution easy or complicated?

SUBJECT: Undelivered Mail Returned to Sender
FROM: Mail Delivery System <>

This is the mail system at host

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

                   The mail system

<>: host[] said:
    550-5.7.26 The MAIL FROM domain [] has an SPF record with a hard
    fail 550-5.7.26 policy (-all) but it fails to pass SPF checks with the ip:
    550-5.7.26 []. To best protect our users from spam and
    phishing, 550-5.7.26 the message has been blocked. Please visit 550-5.7.26 for more 550
    5.7.26 information. t5-20020adfe445000000b0031ff1152941si12973458wrm.960 -
    gsmtp (in reply to end of DATA command)

Reporting-MTA: dns;
X-Postfix-Queue-ID: 95BA41DD37
X-Postfix-Sender: rfc822;
Arrival-Date: Mon, 2 Oct 2023 22:13:23 +0200 (CEST)

Final-Recipient: rfc822;
Original-Recipient: rfc822;
Action: failed
Status: 5.7.26
Remote-MTA: dns;
Diagnostic-Code: smtp; 550-5.7.26 The MAIL FROM domain [] has an SPF
    record with a hard fail 550-5.7.26 policy (-all) but it fails to pass SPF
    checks with the ip: 550-5.7.26 []. To best protect our users
    from spam and phishing, 550-5.7.26 the message has been blocked. Please
    visit 550-5.7.26 for more 550
    5.7.26 information. t5-20020adfe445000000b0031ff1152941si12973458wrm.960 -
Steps To ReproduceSend any e-Mail to
Tagslist, mail
Reviewed by
Test Instructions



2023-10-15 12:44

manager   ~0006196

From Peter J. Mello:
 attempted to add this to the Mantis ticket in the subject, but for some reason lack sufficient privileges on that system to contribute anything. Pulling the currently published DNS RR containing the SPF record for was, of course, quite trivial and revealed itself as: IN TXT "v=spf1 a mx ip4: ip6:2001:7b8:616:162:1::10 ip6:2001:7b8:616:28:50::11 -all"
There exists more ambiguity than I'd like in the ticket, namely the nature of the inclusion of the host at in the message path, but assuming it's a legitimate part of the mailing list infrastructure, then the TXT RR shown above needs to be amended thusly in order to pass the SPF check again: IN TXT "v=spf1 a mx ip4: ip6:2001:7b8:616:162:1::10 ip6:2001:7b8:616:28:50::11 -all"
This would also seem an opportune moment to add a DMARC record to the domain to further thwart spammers, which I would propose be introduced with this configuration… IN TXT "v=DMARC1; p=quarantine; pct=100; aspf=s; ri=259200;"
It also seems worth noting that one of the five nameservers appears to be dead,, and another,, presents a disparity between the IPv6 address it resolves to vs. the glue record associated with it from the parent name server.

Hope this helps to speed a resolution for the ticket.


2023-10-15 15:09

administrator   ~0006197

our current SPF record contains

"v=spf1 a mx ip4: ip6:2001:7b8:616:162:1::10 ip6:2001:7b8:616:28:50::11 -all"

this allows the following systems to send emails on behalf of

- our MX host -> and 2001:7b8:616:162:2::228
- the A record (and AAAA) of -> and 2001:7b8:616:162:2::239
- and 2001:7b8:3:9c::246
- and 2001:7b8:3:9c::245
- and 2001:7b8:616:162:1::10 (addresses of
- 2001:7b8:616:28:50::11 which is used for which is our mailing list host has its own SPF record:

"v=spf1 ip4: ip6:2001:7b8:616:162:2::17 -all"

This record contains the public addresses of only.

Other systems and especially systems of should not send mail on behalf of or addresses. We will not change the SPF records.

We will check the nameserver inconsistencies for the IPv6 reverse DNS zone.


2023-10-16 16:05

administrator   ~0006198

side note: email from email addresses must be sent via the community mail server see for documentation


2024-01-03 16:30

updater   ~0006200

Hello L10N,

Is this your email address, or just something that appears in the gmail mail delivery failure log?


2024-01-03 17:40

manager   ~0006201

The address should be AFAIK only an address in the example sent by user L10N. As the flaw reported by Peter J. Mello ( seemed to be similar, I copied the Peter's text from OTRS ticket s20231015.3 as the comment.

As the former reporter (L10N) possibly also copied somebody's text, it is clear for me, that the user has problems to send us a mail, Should send it to and not to "cacert-support list", which is his list on his side and could contain the address "".

So please check what P. J. Mello reports.


2024-01-04 00:00

reporter   ~0006202

I checked the six mails still in my inbox. This are "answers" to mails sent by me with my address to the following mailiing lists:
- CAcert-devel <>
- General Help <>

Maybe it is just the address from a CAcert community member that did not update it's subscriptions while changing the e-mail-address? In this case, the admin of this two lists could just unsubscribe the szlcsb@ address from this lists?


2024-01-04 02:19

updater   ~0006203

That is my opinion also, and I'm pretty sure I've investigated the error message and suggested exactly that in the past.

The problem is that the listed email in the error message is not, or at least, SHOULD not, be the email actually subscribed to any list, as it instead should be an unknown/unlisted address with a @* suffix, and THAT address is set to forward to the szlcsb@ address.

But either address should be easily found, if it is subscribed to either list.

I'll see, if I can get a list admin to help out.

Issue History

Date Modified Username Field Change
2023-10-02 20:33 L10N New Issue
2023-10-02 20:33 L10N Tag Attached: list
2023-10-02 20:33 L10N Tag Attached: mail
2023-10-15 12:44 alkas Note Added: 0006196
2023-10-15 15:09 jandd Note Added: 0006197
2023-10-16 16:05 jandd Note Added: 0006198
2024-01-03 16:30 NoSubstitute Note Added: 0006200
2024-01-03 17:40 alkas Note Added: 0006201
2024-01-04 00:00 L10N Note Added: 0006202
2024-01-04 02:19 NoSubstitute Note Added: 0006203