The core issue appears when Google's mail servers reject emails with the error: "Received-SPF: softfail (domain of transitioning sender@sender.com does not designate xxx.xxx.xxx.xxx as permitted sender)". This indicates a mismatch between your SPF record and the actual sending IP address.
Your current SPF records show multiple declarations:
v=spf1 ip4:xxx.xxx.xxx.xxx ~all , ttl : 14144
v=spf1 include:_spf.google.com ~all , ttl : 14144
v=spf1 a -all , ttl : 14144
v=spf1 ip4:xxx.xxx.xxx.yyy ~all , ttl : 14144There are several technical problems here:
- Multiple SPF records violate RFC 7208 (only one SPF record per domain is allowed)
- Conflicting mechanisms (~all vs -all)
- Potential IP address mismatches between what's declared and your actual sending server
For a Drupal site using mimemail and potentially multiple servers, your SPF should be consolidated into a single record:
v=spf1 ip4:xxx.xxx.xxx.xxx ip4:xxx.xxx.xxx.yyy include:_spf.google.com ~allKey components:
- List all authorized sending IPs (production and development)
- Include Google's SPF if you use GSuite/Google Workspace
- Use ~all (softfail) during testing, then -all (hardfail) for production
For Drupal's mimemail module, ensure your PHP mail configuration matches your SPF record. Add this to settings.php:
$conf['mail_system'] = array(
'default-system' => 'MimeMailSystem',
'mimemail' => 'MimeMailSystem'
);
$conf['smtp_host'] = 'your.mail.server';
$conf['smtp_port'] = 587;
$conf['smtp_protocol'] = 'tls';
$conf['smtp_username'] = 'username';
$conf['smtp_password'] = 'password';
$conf['smtp_from'] = 'sender@sender.com';After updating your DNS, verify with:
dig TXT sender.com
nslookup -type=TXT sender.comUse online SPF checkers like:
- MXToolbox SPF Checker
- DNSLytics SPF Validator
- Google's Postmaster Tools
When maintaining both production and development environments:
- Ensure both IPs are in your SPF record
- Configure identical mail headers in both environments
- Test email delivery from both servers
- Consider using separate subdomains (dev.sender.com) with their own SPF records
For complex setups, consider DKIM and DMARC records alongside SPF. Example DKIM record for Drupal:
k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...DMARC record example:
v=DMARC1; p=none; rua=mailto:postmaster@sender.comWhen Google rejects emails with SPF softfail errors, it typically means your SPF record isn't properly authorizing the sending IP address. The error message clearly states: "domain of transitioning sender@sender.com does not designate xxx.xxx.xxx.xxx as permitted sender".
Your current SPF records appear problematic because:
v=spf1 ip4:xxx.xxx.xxx.xxx ~all , ttl : 14144
v=spf1 include:_spf.google.com ~all , ttl : 14144
v=spf1 a -all , ttl : 14144
v=spf1 ip4:xxx.xxx.xxx.yyy ~all , ttl : 14144
This configuration has multiple issues:
- Multiple SPF records (violates RFC 7208)
- Conflicting mechanisms (-all vs ~all)
- No proper IP address grouping
For a Drupal site sending through multiple servers, your SPF should look like:
v=spf1 ip4:xxx.xxx.xxx.xxx ip4:xxx.xxx.xxx.yyy include:_spf.google.com ~all
Key points:
- Single record only
- List all authorized IPs in one record
- Use ~all for softfail (recommended during testing)
- Remove TTL specifications (handled by DNS)
For Drupal's mimemail module, ensure your PHP mail configuration matches your SPF record. Here's a sample configuration for settings.php:
$conf['smtp_host'] = 'localhost';
$conf['smtp_port'] = 25;
$conf['smtp_from'] = 'sender@sender.com';
$conf['smtp_fromname'] = 'Sender Name';
$conf['smtp_allowhtml'] = 1;
Use these commands to verify your setup:
dig TXT sender.com +short
nslookup -type=TXT sender.com
For online testing, use tools like:
- MXToolbox SPF Checker
- Google Admin Toolbox
- Kitterman SPF Validator
For development and production servers:
v=spf1 ip4:xxx.xxx.xxx.xxx ip4:xxx.xxx.xxx.yyy
include:_spf.google.com
?ip4:xxx.xxx.xxx.zzz
~all
The ? operator acts as neutral for your dev IP (zzz), allowing testing without affecting production.
- Never have multiple SPF records
- Avoid mixing -all and ~all
- Don't exceed 10 DNS lookups (includes count)
- Ensure your Return-Path matches your SPF domain
For complete email authentication, consider adding DKIM and DMARC:
// DKIM record example
_domainkey.sender.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC..."
// DMARC record example
_dmarc.sender.com. IN TXT "v=DMARC1; p=none; rua=mailto:postmaster@sender.com"