<![CDATA[Bug Report - SPF Check not RFC compliant]]>Hello,

I recently restructured SPF records and noticed that cloudrons chcek for a correct SPF record ist not rfc compliant.

It seems to me that the SPF check in the UI (Email -> Domains) fails to check any include statements in the SPF-TXT record for a domain. This leads to cloudron reporting an incorrect SPF record despite the SPF record being correct.

Cloudron is expecting something like

TXT in foo.com
v=spf1 a:bar.foo.com ~all

and reports an error for
TXT in bar.com
v=spf1 include:_spf.foo.com ~all

TXT in _spf.foo.com
v=spf1 a:bar.foo.com ~all

Despite being a correct SPF record, with less than 10 recursive DNS Querries needed.

I totally understand why the webinterface "recommends" me to use the expected value, being easier to understand and more user friendly. Nevertheless I would expect cloudron to not report a correct (and working) SPF record as faulty.

For reference: https://datatracker.ietf.org/doc/html/rfc7208#section-4.6

]]>https://forum.cloudron.io/topic/15608/bug-report-spf-check-not-rfc-compliantRSS for NodeFri, 12 Jun 2026 18:29:53 GMTFri, 12 Jun 2026 08:58:20 GMT60<![CDATA[Reply to Bug Report - SPF Check not RFC compliant on Fri, 12 Jun 2026 13:03:54 GMT]]>Right, the check is simply hardcoded to check for a: entry in the SPF. To check all the possibilities would be quite complicated, since we will have to implement the full SPF spec just for diagnostics.

(What you see on the dashboard is just a diagnostic. The mail server Haraka has a fuller SPF implementation).

]]>https://forum.cloudron.io/post/125717https://forum.cloudron.io/post/125717Fri, 12 Jun 2026 13:03:54 GMT