Do not send email if SPF record is not setup correctly

src/cloudron.js

@@ -321,8 +321,8 @@ function addDnsRecords(callback) {
         { subdomain: '', type: 'A', value: sysinfo.getIp() },
         // webadmin domain
         { subdomain: 'my', type: 'A', value: sysinfo.getIp() },
-        // softfail all mails not from our IP. Note that this uses IP instead of 'a' should we use a load balancer in the future
-        { subdomain: '', type: 'TXT', value: '"v=spf1 ip4:' + sysinfo.getIp() + ' ~all"' },
+        // softfail all mails not from our domain
+        { subdomain: '', type: 'TXT', value: '"v=spf1 a:' + config.fqdn() + ' ~all"' },
         // t=s limits the domainkey to this domain and not it's subdomains
         { subdomain: DKIM_SELECTOR + '._domainkey', type: 'TXT', value: '"v=DKIM1; t=s; p=' + publicKey + '"' },
         // DMARC requires special setup if report email id is in different domain

src/mailer.js

@@ -28,6 +28,7 @@ var assert = require('assert'),
     config = require('./config.js'),
     debug = require('debug')('box:mailer'),
     digitalocean = require('./digitalocean.js'),
+    dns = require('dns'),
     docker = require('./docker.js').connection,
     ejs = require('ejs'),
     nodemailer = require('nodemailer'),
@@ -66,14 +67,30 @@ function uninitialize(callback) {
 }
 
 function checkDns() {
-    digitalocean.checkPtrRecord(sysinfo.getIp(), config.fqdn(), function (error, ok) {
-        if (error || !ok) {
-            debug('PTR record not setup yet');
-            gCheckDnsTimerId = setTimeout(checkDns, 10000);
+    dns.resolveTxt(config.fqdn(), function (error, records) {
+        if (error) {
+            debug('checkDns: DNS error looking up TXT records for %s', config.fqdn(), error);
+            gCheckDnsTimerId = setTimeout(checkDns, 60000);
             return;
         }
 
-        gDnsReady = true;
+        var allowedToSendMail = false;
+
+        for (var i = 0; i < records.length; i++) {
+            var value = records[i][0];
+            if (value.indexOf('v=spf1 ') !== 0) continue; // not SPF
+
+            allowedToSendMail = value.indexOf('a:' + config.fqdn()) !== 0;
+            break; // only one SPF record can exist (https://support.google.com/a/answer/4568483?hl=en)
+        }
+
+        if (!allowedToSendMail) {
+            debug('checkDns: SPF records disallow sending email from cloudron. %j', records);
+            gCheckDnsTimerId = setTimeout(checkDns, 60000);
+            return;
+        }
+
+        debug('checkDns: commencing mail processing');
         processQueue();
     });
 }