Hi, I have some "purple haze" regarding SPF record.
I am using google MX, and have two servers which are sending mails besides using standard webmail for office usage.
One server is webserver and other is monitoring which is behind firewall located at our office and is monitoring several linux machines.

Here is SPF record that is giving headacheProblem I have is "strange":
- Using gmail web panel I can send mail to 99.99% domains, but to some I get message Google aparently tries to connect to smtp.my_domain.com which resolves to my_office_ip and it cannot because there is no mailserver there (I have logged attemps and it is google IP), after that I get my email bounced back.
Now what is strange here is that I dont have any smtp.my_domain.com record, although I have wildcard record *.my_domain.com but that shouldnt be the problem.

I have solved the problem by removing my_office_ip form SPF record and now it looks like this so if there is no my_office_ip google doesnt check it and mails pass, but I need my_office_ip as permitted sender also because of some reports.

What seems to be the problem here?

I forgot to add, gmail tries to connect to my office_ip just in case whem I am sending mails to those domains where I get mails bounced back, also those domains are using google MX.

What if you create an explicit smtp... record instead of letting the wild card handle it. Give an it an IP that IS reachable (it doesn't necessarily have to be the one it came from).

I can do that, but that is not a solution , it is hard core "hack" . I have removed that "problematic" ip from SPF for now, but I dont know why google tries to connect to it, only mx records in dns are gmail MX.

Various people do various things to try to prevent spoofing/spam. Some you might tell to go to hell. e.g. Ebay (I think it is) won't send email to you if you have what THEY call a "generic" reverse lookup record. Our solution to that is to say "Ebay is NOT a business related address so we're not going to modify our DNS because they've come up with a bizarre definition no one else uses. Google on the other hand has gmail for all sorts of different people so trying to say there is no need for gmail in your business is a little harder.

In my not so humble opinion it isn't really a hack if you point your smtp server record to a real smtp server instead of your generic IP using the wild card. It probably makes more sense than removing your allowed sender from spf because some folks may reject email that comes from that path due to the existence of an spf in the first place. (That is to say you are NOT required to have an spf record at all but once you make one then people that check for it will assume anything that didn't come from your approved email in spf is trying to spoof.)

Of course if you really don't like having a defined smtp record what you could do is remove your wild card an only have real A records or CNAMES for the things that you DO want using your main IP so that smtp doesn't match the wild card.

looks like it aint about MX , but some RBL spamhouse or nuclear filter in postfix main.cf , which supposed to filter SPAM , but it filters google also
Could ya post some /etc/postfix/main.cf here ?
look for lines containing

reject_rbl_client

i had same problem with nuclear RBL , and got to stick with spamhouse only

Sincerely ,
Gabriel linux-romania.com

Thanks for the help, problem is not in Postfix, as I said we use google MX . I havent done much research afterwards, for now I have returned that "problematic" IP in spf record and waiting again to see what is happening .