Trying to diagnose an issue with a recent change in my orgs web services platform with the Shopify SPF record.
As of 11/9/2020, a new mail server began sending emails (using domain masquerading) and started getting rejected by our mail security gateway. This mail server does not exist inside the scope of the public documentation for shopify's published SPF record of "shops.shopify.com"
o7.mailer.shopify.com with public IP address 184.108.40.206
*this new server is also hosted on an IP owned by SendGrid, a separate bulk mailer service that appears to be hosting to shopify
Prior to this date, e.g. 11/6/2020 and earlier, email was being dispatched by servers using the name format along the lines of smtp1.shopify.com which DO fall into scope of the SPF record. E.g. below
Smtp2.shopify.com with public IP address 220.127.116.11
This has unfortunately resulted in several back and fourths within my org over who's responsible for the error. What I can say we've tried
1. Working with our Mail Security gateway to verify and validate the issue
2. Did several message traces and verified our SPF record is indeed configured correctly, and it works fine for other platforms such as sparkpost mail
3. Identified and verified the issue began on 11/9/2020 after a new mailer server began sending email that did not fall in scope of the SPF record published by Shopify
What I don't know
1. Does shopify issue serialized SPF records for some clients for dedicated mailer servers? If yes, how do we get that information?
2. We could potentially just whitelist every server as they fall outside of the SPF scope, but this leads to disorganized configurations that eventually break and have to be constantly monitored or maintained. Issues may not be caught for days (which has happened in our past) which is why we transitioned to the SPF include statement instead of manually whitelisting servers.
3. Lastly, if this isn't the right forum, who do we contact to verify, validate, or troubleshoot the issues we're having as I'm not involved in this platform with my organization, and only get brought in to solve technical challenges as they relate to networking.
If any information needs clarified, please feel free to leave feedback.
I believe I found the issue - after fiddling with message traces for the bounced domain records originating *@mailer.shopify.com I decided to try looking up an SPF record for this domain and found that it includes a lookup that redirects to a sendgrid SPF record, which subsequently covers the netblock scope of the mailer servers we were experiencing issues with.
updated SPF record for shopify is
v=spf1 include:shops.shopify.com include:mailer.shopify.com
Why the second include statement for the SPF record isn't covered in any documentation is beyond me, as it is a valid record and does appear to solve our issues. Hope this may help others
So, looking further into my records I found out I already included one that covered such IP address, still validation is failing. I don't know why. Additionally, I just found out such IP address is actually reported in some spam lists: