Hello,
I recently restructured SPF records and noticed that cloudrons chcek for a correct SPF record ist not rfc compliant.
It seems to me that the SPF check in the UI (Email -> Domains) fails to check any include statements in the SPF-TXT record for a domain. This leads to cloudron reporting an incorrect SPF record despite the SPF record being correct.
Cloudron is expecting something like
TXT in foo.com
v=spf1 a:bar.foo.com ~all
and reports an error for
TXT in bar.com
v=spf1 include:_spf.foo.com ~all
TXT in _spf.foo.com
v=spf1 a:bar.foo.com ~all
Despite being a correct SPF record, with less than 10 recursive DNS Querries needed.
I totally understand why the webinterface "recommends" me to use the expected value, being easier to understand and more user friendly. Nevertheless I would expect cloudron to not report a correct (and working) SPF record as faulty.
For reference: https://datatracker.ietf.org/doc/html/rfc7208#section-4.6