Author: Konstantin Boyandin Date: To: exim-users CC: Evgeniy Berdnikov Subject: Re: [exim] Adding authentication results headers for SPF and DKIM
On 12/15/2015 02:37 PM, Evgeniy Berdnikov wrote: > On Tue, Dec 15, 2015 at 06:58:30AM +0600, Konstantin Boyandin wrote:
>> The core problem, however, was inadequate nameservers in
>> resolv.conf. They were unable to get properly all the requests in
>> time. To test that, I ran spfquery utility from command line, and it
>> complained about 'temporary errors' (when 'include' parts were
>> present in SPF record).
>
> If DNS returns TempFail, this does NOT mean it runs "improperly".
The word was 'inadequate', methinks. Too slow, and returning, at times
out-of-date results.
After I switched to certain public DNS servers, the failures ceased to
happen.
> In most cases it means only that queries from this DNS were unreplied,
> and there are lot of reasons for this: network connectivity problems,
> link load, misconfiguration of sender's DNS and so on.
The point was Exim has nothing to do with that. However, logging such
problems to Exim log could be helpful.
> As for 'include' statements in SPF records, they have no direct relation
> to DNS temporary failures, but each 'include' increases number of queries
> and hereby increases the probability of TempFail.
Correct. Every 'include' element means there are several more DNS
queries to perform; if they are likely to fail, the overall probability
of SPF check failure will only grow.