NEUTRAL SPF validation when sending from only one of my verified domains

Question

We have a system sending emails for lots of our clients. Eveyone of them is verified using the same process where we create a domain into AWS SES and with our clients, we create approriates DNS entries into their DNS system. (TXT record for verification, CNAMEs for DKIM signatures and MX + TXT records for MAIL FROM custom domain). After everything is verified, we activate the "send email" feature.  
  
We encountered a situation where only one of our clients is getting a NEUTRAL SPF validation. I can repro easily using the "Send Test Email" button from the AWS portal for that particular domain where all other domains (70+) always gets full validation.  
  
Can you help out finding whats wrong?  
The client successfully created into his DNS the appropriate MX and TXT records for the custom MAILFROM info.csportneuf.qc.ca having the TXT record value to "v=spf1 include:amazonses.com ~all". Checked with Powershell Resolve-DNSName -Name info.csportneuf.qc.ca -Type TXT  
  
After sending to a GMail address and looking at "Original message" or header, we can see the following:  
Received-SPF: neutral (google.com: 54.240.11.127 is neither permitted nor denied by best guess record for domain of 0100016b0494cee6-e942c362-c724-42c7-8db0-90db23fdb43c-000000@info.csportneuf.qc.ca) client-ip=54.240.11.127;  
  
Is that particular IP not considered as being amazonses.com?

Accepted Answer

Hello,   
  
I was able to reproduce the same way you have your configuration. In order to resolve this, please correct the TXT record for the custom mail from.   
  
Currently it is =>   
$ dig TXT info.csportneuf.qc.ca +short  
"\"v=spf1 include:amazonses.com ~all\""  
  
Please change that (in the value in your dns settings) =>   
"v=spf1 include:amazonses.com ~all"  
  
The TXT records for other custom mail from are set in the same manner. For example:   
$ dig TXT info.cqsb.qc.ca +short  
"v=spf1 include:amazonses.com ~all"  
  
Please wait for the change to propagate and test it. This should fix the issue.   
  
Regards,  
Gaurav @ AWS

Answer

Hi Gaurav,  
Thanks for your reply and sorry for replying that late but i seem to have missed the email notification when you replied. Just discovered you had answered me!  
  
According to my issue, i want to make sure i understand the right usage of the "quote" character.  
In the AWS console, when you generate entries for TXT domain validation, DKIM Cnames and MX records, you do not use any "quotes" characters around the value you generate except for the TXT record for the SPF entry where you actually include the "quote" into the following value  
=> "v=spf1 include:amazonses.com ~all"  
  
When i ask my customer to add those entries into his DNS for validation, shall i ask them to NOT include the "quotes" or should they? My probleme seems to happen when the customers includes the quotes when entering the value into his DNS. If so, why do you include the quotes only into this entry into the AWS console?

NEUTRAL SPF validation when sending from only one of my verified domains

相关内容