SPF problem?

cnisvcs

Perch
My domain is used for Joe-jobbing. Basic research indicated activation of SPF as a possible remedy. I followed HSphere instructions and activated SPF for the problematic domain. Couple weeks later I still see number of bounced messages, definitely not sent from my accounts. I made more thorough research and came up with interesting results.

On my domain the DNS TXT record for Sender Policy Framework is:

v=spf1 a mx -all

what, based on SPF: SPF Record Syntax , means that only messages sent by mail servers with ip addresses listed in MX or A records are legitimate for given domain.

On my domain there is only one MX record for server: gw-mail.my_service_domain.com resolving to 204.10.107.118. There are two A records, both listing ip 204.10.108.1 of the web server. There is also one CNAME record: mail.my_service_domain.com resolving to 204.14.107.1. That is actual mail server running smtp process, because messages sent from my accounts contain this line:

Received: from mail.m****here.biz ([204.14.107.1]).

Here is what I don't understand: If the ip address of my sending mail server is not listed in MX, neither A, records, how come my emails are still being delivered? Are the receiving servers not checking SPF? Or perhaps the CNAME record is treated like the A record? Can someone shed some light on this??(
 
Many mailservers don't outright refuse mail even on a Fail result of the SPF record. However, it will usually give your mail a significant spam score, which is not good :p
Because of the DSPAM change, the actual sending IP is no longer listed as a valid sender.

There are a few possible solutions:
  • Add a custom A record smtp.your-service-domain.com that points to 204.14.107.1
  • Switch H-Sphere SPF to "neutral" setting (not so good)
  • Disable H-Sphere management of the SPF record and add a custom TXT record with something like "v=spf1 a mx ip4:204.14.107.1 -all".
 
I want to add some more information. There is one person I am corresponding with , who has email accts hosted by hostingdude.com. Each time I respond to his message I get this:

Connected to 64.202.166.12 but sender was rejected.
Remote host said: 554 refused mailfrom because of SPF policy

It became too annoying to cope with it, so I made some changes in my DNS records: added A record pointing to smtp mail server, then switched SPF to netral, then turned SPF off and my messages were still bouncing back. This is when I realized, that even though the changes I make through the HSphere control panel are recorded instantenously in the DNS zone file, they are not visible to the rest of the world for another 2-3 hours (probably due to some kind of caching somewhere along the way). I confirmed that by doing the lookup on dnsreport.com - sure enough - it was still showing the state before any of my changes. So I disabled SPF, waited couple of hours, checked with dnsreport.com that SPF is disabled and tried emailing problematic account: message went through. Then I included my own custom txt record (as per SubSpace advice - thank you SubSpace):

v=spf1 a mx ip4:204.14.107.1 -all

waited another couple of hours until dnsreport.com showed that the change went through and tested hostingdude account - worked OK.

There is two morals to this story:

1. Changes you make in your DNS zone file are visible to the world in some time (couple hours in my particular case), not right away. And you are better off checking if they went through with dnsreport.com before running any tests.

2. I have a bad feeling, that due to the introduction of DSPAM to the JodoHost email system, the default SPF DNS record entered by HSphere (v=spf1 a mx -all) is actually incorrect, becouse the IP of sending mail server is not listed in MX or A records. This is something I would like to ask Stephen or Yash for their opinion. And lastly, I don't think this is a big deal, becouse most of receiving mail servers either don't check SPF, or when they deal with the case like mine - the SPF check results in error and the message is let into the mailbox anyways, perhaps with the higher spam score.

Again, many thanks to SubSpace for valuable input.
 
I would recommend against SPF if you are not aware of it completely. You may easily end up loosing mails as i have seen quite a few mailservers that simply deny to accept these mails instead of using them to add spam score. You even need to list posssible external IPs in your SPF record being used to send out mails & uses your domain name. Like a payment gateway sending payment confirmation emails in your name. Or even if you are using your ISP's SMTP and the From address includes your domain name.
That being said, The issue will be fixed with introduction of Hsphere 3.0 that will create the SPF record correctly and allow us more customization.
Or you can always use below SPF record that should work in most cases:
v=spf1 a mx ptr:my hsphere.biz -all
(remove space between my and hsphere.biz)
 
I was thinking about activating SPF on all mail accounts. So you recommend not to do it? Do you have any guide for dummies on the use of SPF to understand the implications thoroughly?
If you only use the addresses to send mails trhu the correct SMTP can this still cause troubles?

Thank you very much.
 
If you only use the JodoHost mailserver, it shouldn't cause any problems no.

I think what Tanmaya was referring to is that it's easy to overlook the odd (likely automated) e-mail that might be sent from an unlisted machine.

Also, quite a few ISPs also block access to SMTP servers other than their own, which might prevent you from using the JodoHost server under some circumstances. Most of them block only port 25, but I'm sure some of the more annoying ones have taken up blocking 587 as well :rolleyes:

I'm not sure if I personally agree with Tanmaya's suggestion to completely disable SPF though. If you know that sometimes other servers will send mail from your domain, set the SPF setting to "Neutral" in H-Sphere. Some mail systems give a (low) spam score just for the fact that a SPF record is not present.
 
I was thinking about activating SPF on all mail accounts. So you recommend not to do it? Do you have any guide for dummies on the use of SPF to understand the implications thoroughly?
If you only use the addresses to send mails trhu the correct SMTP can this still cause troubles?

If you are using only our mail servers to send mails, you can add below DNS txt record and you should be fine:
v=spf1 a mx ptr:my hsphere.biz -all
(remove space between my and hsphere.biz)

If you want to use your ISP's SMTP and still use your email as sender, it my look like:
v=spf1 a mx ptr:my hsphere.biz ip4:<ISP's-SMTP-IP> -all

If any third party SMTP send mails using your domain(like payment gateways), ask for their SMTP IP(s) or Subnet. Just use their IP or subnet in the SPF record:
v=spf1 a mx ptr:my hsphere.biz ip4:<third party-SMTP-IP> -all

This is just a brief and very strict example of SPF usage.
For better overall understanding, please visit:
Sender Policy Framework - Wikipedia, the free encyclopedia
SPF: Project Overview

I think what Tanmaya was referring to is that it's easy to overlook the odd (likely automated) e-mail that might be sent from an unlisted machine.
Yes.

I'm not sure if I personally agree with Tanmaya's suggestion to completely disable SPF though. If you know that sometimes other servers will send mail from your domain, set the SPF setting to "Neutral" in H-Sphere. Some mail systems give a (low) spam score just for the fact that a SPF record is not present.

You are right. Now if you notice to know what is "neutral", one must understand SPF. 99% of times, SPF is just enabled without understanding it. All i'm asking is to have a quick look at your needs(as easy as following a wizard at openspf.org) or follow small precaution to not have mails bounced(i know it is not common). I sure don't mean to disable SPF but to know it better and make good use of it. Anything that may help against spam is my friend and some education never hurts. isn't it? :)
 
Tanmaya the "v=spf1 a mx ?all" record that gets added automatically when you enable SPF would be the same as "v=spf1 a mx ptr:my hsphere.biz -all" that you specified above?

Thank you!
 
They are not the same, no.

The first one means:
["a mx", short for "+a +mx"] Any server that is referenced through an A or MX record is definitely a legitimate sender for the domain (these mails might get a slight negative spam score, to make it less likely to be marked as spam)
["?all"] Any other machine (not referenced through an A or MX record) should be treated as neutral. That is, no claims are made about it's validity as a mail source for this domain. Software might treat mail from such machines as if there wasn't a SPF record for the domain (no spam score or maybe very slightly positive, mail 'should' be accepted).

The second one means:
["a mx", short for "+a +mx"] Any machine referenced by an A or MX record is a valid sender.
["ptr:my hsphere.biz"] Any IP that reverse resolves to a hostname containing my hsphere.biz (no space) is a valid sender (JodoHost IPs will resolve back to this domain, unless you use a dedicated IP and apply for rDNS). So in effect, the example makes any JodoHost server a valid sender for your domain.
["-all"] Any other machine (No A or MX record in your domain, no my hsphere.biz hostname) is not allowed to send mail for this domain. This means that if you attempt to send mail using your ISP's mailserver, this mail is likely to be outright rejected or at the very least get a significant spam score.

SPF: SPF Record Syntax
 
Back
Top