Virtualmin Cloudflare SPF does not designate permitted sender hosts

I’m using Virtualmin and Cloudflare for DNS.

Main domain has no issues with sending emails in inbox, but other domains on same IP get “does not designate permitted sender hosts” for SPF check from google.

I’ve set up SPF record in Cloudflare for the other domains adding include:maindomain.com but still getting the error.

What settings do I need to do on Virtualmin and Cloudflare so the other domains on my server pass the SPF check?

cloudflare txt record v=spf1 ip4:86.127.60.59 include:honeybadger.it ~all

gmail error: spf=none (google.com: host.honeybadger.it does not designate permitted sender hosts) smtp.mailfrom=vixo@host.honeybadger.it; ← error

cloudflare txt record for main domain v=spf1 ip4:86.127.60.59 ~all

google ok: Received-SPF: pass (google.com: domain of user@honeybadger.it designates 86.127.60.59 as permitted sender) client-ip=86.127.60.59; ← main domain ok

Thank you.

I’ve tried restarting the server with all configurations with no success.

It looks like you are facing issues with SPF (Sender Policy Framework) records for multiple domains on the same IP address, particularly with emails failing SPF checks. Let’s break down the issue and see how you can resolve it.
Understanding SPF Records

An SPF record is used to specify which mail servers are allowed to send email on behalf of your domain. When a mail server receives an email, it checks the SPF record of the sender’s domain to ensure that the sending server is authorized to send emails for that domain.
Issue Analysis

From your description:

Main domain: SPF is working fine.
Other domains: SPF check fails with a “does not designate permitted sender hosts” error.

You’ve set up an SPF record for the other domains to include the main domain, but it’s still failing. This suggests that either the SPF record isn’t properly set up or there’s a problem with how SPF records are being interpreted.
Steps to Resolve the Issue

Verify SPF Records Syntax and Include Directives

Ensure that the SPF records for each domain are correctly formatted and include necessary directives. Specifically:

    Main Domain SPF Record:

    less

v=spf1 ip4:86.127.60.59 ~all

Other Domain SPF Record:

makefile

v=spf1 ip4:86.127.60.59 include:maindomain.com ~all

This means that emails from the other domains should pass SPF checks if they come from the IP 86.127.60.59 or if the SPF check on maindomain.com passes.

Check SPF Record of the Main Domain

Ensure that the SPF record for maindomain.com is correct and properly configured to include all IP addresses that may send mail on behalf of that domain. For example, if maindomain.com has:

less

v=spf1 ip4:86.127.60.59 ~all

It should be valid.

Check DNS Propagation

Sometimes DNS changes take time to propagate. Use an online SPF checker or DNS lookup tool to ensure that the SPF records have been updated across all DNS servers.

Test SPF Records

Use online SPF validators such as MXToolbox SPF Record Checker to verify that the SPF records are correctly set up and that the include directive resolves as expected.

Avoid SPF Record Length Limits

Ensure that the SPF records are not too long or too complex. SPF records have a 255-character limit for a single TXT record and a 10 DNS lookup limit. If the record becomes too complex, consider simplifying it.

Cloudflare Configuration

Ensure that Cloudflare is correctly handling the TXT records:
    Go to the Cloudflare dashboard.
    Navigate to the DNS settings for each domain.
    Verify that the SPF records are correctly entered as TXT records.

Check for SPF Syntax Errors

Verify that there are no syntax errors in your SPF records. Even a small typo can cause SPF checks to fail.

Example Configuration

Assuming you have the following setup:

Main Domain SPF Record (honeybadger.it):

less

v=spf1 ip4:86.127.60.59 ~all

Other Domain SPF Record (example.com):

makefile

v=spf1 ip4:86.127.60.59 include:honeybadger.it ~all

You should be able to send emails from example.com using the same IP as honeybadger.it if both domains have the SPF records correctly set up.
Troubleshooting Steps

Verify SPF Record Lookup: Use dig or an online tool to check the SPF record directly:

arduino

dig +short TXT example.com

Check SPF Record Inclusion: Ensure that include:honeybadger.it resolves to a valid SPF record for the main domain.

Inspect Email Headers: Look at the full email headers of the failed SPF check to diagnose where the failure is occurring.

By following these steps and verifying each component, you should be able to resolve the SPF issues and ensure that emails sent from all domains pass the SPF check. If you continue to face issues, you may want to reach out to Cloudflare support or consult with your email service provider for further assistance.