Now it works.
Thu, 28 Jun 2012
Setting up SPF on a domain that doesn't normally do email (specifically this one, mstevens.org), for experimental purposes.
Found one problem so far - I specified my SPF record as
v=spf1 mx -all. I then sent a test email to google, and it was rejected with:
Received-SPF: fail (google.com: domain of email@example.com does not designate 2001:ba8:1f1:f1ef::2 as permitted sender) client-ip=2001:ba8:1f1:f1ef::2; Authentication-Results: mx.google.com; spf=hardfail (google.com: domain of firstname.lastname@example.org does not designate 2001:ba8:1f1:f1ef::2 as permitted sender) email@example.com; dkim=pass (test mode) firstname.lastname@example.org
The mx defined for the domain is on IPv4 and IPv6, and has A and AAAA records. I was expecting the SPF record above to mark both as valid, but google doesn't seem to interpret it as valid.
Looking at the discussion at a thread on the SPF mailing list I think it probably should be considered valid, although I'm not certain. Anyway, I've updated the SPF record with a
ip6 entry for the specific IP address, hopefully that'll sort it. Possibly there's a bug in the google implementation, but I wouldn't know who to contact!
Waiting for the DNS to propagate and see if the change helps.