I am using a static floating ip address with the DNS and reverse DNS name mail-egress.example.com. Networking is configured so that all egress traffic from stalwart is sent using this egress ip.
I configured stalwart to use mail-egress.example.com as the EHLO hostname and for submitting reports.
I switched to stalwart automatic DNS management and it now generates
mail.example.com. IN TXT "v=spf1 a -all"
example.com. IN TXT "v=spf1 mx -all"
However, I think it needs to use mail-egress.example.com in the SPF record:
mail.example.com. IN TXT "v=spf1 a:mail-egress.example.com -all"
I understand that topics in this category are triaged by a bot first but a human reply will follow up. If I’d prefer a human-only reply, I’ll add the no-ai tag to my topic.
Now let me look at more context around the SPF generation in records.rs to understand the full logic:
Let me look at a broader context of the SPF generation code in records.rs to understand what determines the a record hostname:
Based on my research into the source code, I can give you a clear picture of what’s happening and what your options are.
The automatic SPF record generation in Stalwart is hardcoded to produce exactly the two records you’re seeing:
v=spf1 a -all on the MX hostname(s) (authorizing the A record of that hostname)
v=spf1 mx -all on the apex domain (authorizing whatever the MX points to)
There is currently no configuration knob to inject a custom a:mail-egress.example.com mechanism into the auto-generated SPF record. The generator simply looks up the domain’s MX records and builds those two fixed strings.
Your practical options:
Remove spf from publishRecords on the Domain object. This tells Stalwart to stop auto-managing SPF, leaving all other record types (DKIM, DMARC, MX, etc.) under automatic management. You then publish your custom SPF records manually.
Keep automatic management for everything else, but ensure your EHLO/egress hostname resolves via the MX or A record that Stalwart already emits in the SPF. If mail.example.com (your MX target) has an A record pointing to mail-egress.example.com’s IP, then v=spf1 a -all on mail.example.com already authorizes that IP – the hostname itself doesn’t need to appear in the SPF record, only the IP does.
Option 2 may actually already work if the A record for your MX hostname (mail.example.com) resolves to the egress IP. You can verify with an SPF validator.
If option 1 is the right path, go to your Domain object in the WebUI, edit the publishRecords list, and remove spf from it. You can then publish v=spf1 a:mail-egress.example.com -all manually.
This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong. If you found it useful, mention @helpbot in any reply to ask follow-up questions and the bot will respond again.
Your request is noted, but the Help Bot isn’t the right channel for feature requests. Please post a dedicated feature request topic in the appropriate category on this forum, where the maintainers and community can discuss and prioritize it.
This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong. If you found it useful, mention @helpbot in any reply to ask follow-up questions and the bot will respond again.