5

I have a dedicated server with a survey system running on a subdomain. The parent domain is hosted on another server. I send email via google apps.

Reverse DNS is correct.

Without SPF og DKIM, the very smart 'check-auth@verifier.port25.com' returns a spamassasin score of ca. 0.

But with a passing SPF record and this summary

SPF check:          pass
DomainKeys check:   neutral
DKIM check:         neutral
Sender-ID check:    pass
SpamAssassin check: ham

I get a quite high spamassasin score of ca. 3 - due to the header being very big:

pts rule name              description
---- ---------------------- --------------------------------------------------
3.1 SINGLE_HEADER_2K       A single header contains 2K-3K characters
-0.7 RCVD_IN_DNSWL_LOW      RBL: Sender listed at http://www.dnswl.org/, low
                       trust

So my question is: It seems from this that I should delete the spf record? since a large header is deemed worse then a valid spf?

Or is it my spf which is wrong?

v=spf1 a mx ptr ip4:xxx.xx.xxx.xx mx include:_spf.google.com ip4:yy.yy.yy.yyy ~all

xxx IP is for the server with the tld yyy IP is the server where the subdomain is hosted.

Below a part of the header:

----------------------------------------------------------
SPF check details:
----------------------------------------------------------
Result:         pass
ID(s) verified: smtp.mailfrom=andreas@mydomain.dk
DNS record(s):
mydomain.dk. SPF (no records)
mydomain.dk. 400 IN TXT "v=spf1 a mx ptr ip4:xxx.xx.xxx.xx mx include:_spf.google.com ip4:yy.yy.yy.yyy ~all"
mydomain.dk. 360 IN A xxx.xx.xxx.xx
mydomain.dk. 41895 IN MX 10 aspmx.l.google.com.
mydomain.dk. 41895 IN MX 20 alt2.aspmx.l.google.com.
mydomain.dk. 41895 IN MX 20 alt1.aspmx.l.google.com.
mydomain.dk. 41895 IN MX 30 aspmx2.googlemail.com.
mydomain.dk. 41895 IN MX 30 aspmx3.googlemail.com.
mydomain.dk. 41895 IN MX 30 aspmx4.googlemail.com.
mydomain.dk. 41895 IN MX 30 aspmx5.googlemail.com.
aspmx.l.google.com. 217 IN A 74.125.115.27
alt2.aspmx.l.google.com. 204 IN A 209.85.229.27
alt1.aspmx.l.google.com. 248 IN A 209.85.229.26
aspmx2.googlemail.com. 1036 IN A 74.125.43.27
aspmx3.googlemail.com. 1658 IN A 74.125.127.27
aspmx4.googlemail.com. 863 IN A 209.85.229.27
aspmx5.googlemail.com. 921 IN A 74.125.157.27
174.160.85.209.in-addr.arpa. 86400 IN PTR mail-gy0-f174.google.com.
mail-gy0-f174.google.com. 86400 IN A 209.85.160.174
mydomain.dk. 41895 IN MX 10 aspmx.l.google.com.
mydomain.dk. 41895 IN MX 20 alt2.aspmx.l.google.com.
mydomain.dk. 41895 IN MX 20 alt1.aspmx.l.google.com.
mydomain.dk. 41895 IN MX 30 aspmx2.googlemail.com.
mydomain.dk. 41895 IN MX 30 aspmx4.googlemail.com.
mydomain.dk. 41895 IN MX 30 aspmx5.googlemail.com.
mydomain.dk. 41895 IN MX 30 aspmx3.googlemail.com.
aspmx.l.google.com. 217 IN A 74.125.115.27
alt2.aspmx.l.google.com. 204 IN A 209.85.229.27
alt1.aspmx.l.google.com. 248 IN A 209.85.229.26
aspmx2.googlemail.com. 1036 IN A 74.125.43.27
aspmx4.googlemail.com. 863 IN A 209.85.229.27
aspmx5.googlemail.com. 921 IN A 74.125.157.27
aspmx3.googlemail.com. 1658 IN A 74.125.127.27
_spf.google.com. SPF (no records)
_spf.google.com. 206 IN TXT "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ?all"

Again I have crossed out my own IP's and the rest i guess is googles?

What should I do now? Should I delete the spf record, or can I change it somehow to get a smalle header, that still works?

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
Andreas
  • 153
  • 3
  • OK: this spf record also validates: 'v=spf1 ip4:xxx.xx.xx.xx mx include:_spf.google.com ip4:yy.yy.yy.yyy ~all' and it doesn't create a spamassasin alarm. As you can see I simple removed the 'a mx ptr' from the non google ip's... Will this be a problem? – Andreas Nov 07 '11 at 17:32

3 Answers3

6

SPF shouldn't be causing a header to be added. Something else should be doing this. Look at your headers for some segment where there are lots of lines in a row which are indented (continuation lines). This will be your problem header.

As you are using ~all, your SPF record won't be that effective. You are better off coming up with a policy which wil enable you to end your spf record with '-all'. See my comments on Securing your Email Reputation with SPF.

BillThor
  • 27,354
  • 3
  • 35
  • 69
  • Thanks: Note that I used google apps to send a standard email to check-auth@verifier.port25.com. So I can't see what else, if not spf is making the difference? Right now I am waiting to see what happens with this spf: 'v=spf1 ip4:xxx.xx.xx.xx include:_spf.google.com ip4:yy.yy.yy.yyy ~all' (removed a ´mx´) – Andreas Nov 07 '11 at 18:19
  • Sent e-mail to any **your** address, get it and see at headers – Lazy Badger Nov 07 '11 at 19:46
  • Okay - when I send an email to my self - not port25.com - I really have a small header. Don't know whats going on at port25 - but I'll investigate further tomorrow. Then I'll get back here and award some karma to you good people :-). – Andreas Nov 08 '11 at 12:43
  • I believe port25 returns your message. Check the message returned from port25. I believe prot25 adds headers, and one of these may e the problem header. If so, don't sweat it. – BillThor Nov 09 '11 at 22:41
3

You do not need the full verbose list of all mail exchangers - You probably have a higher-than-necessary level of debugging set somewhere that is causing some part of your mail chain to include this.

Determine which part of your mail chain is adding this header.
Then make it stop. :-)

voretaq7
  • 79,345
  • 17
  • 128
  • 213
  • OK :-) - I'll try to change my spf record :-) – Andreas Nov 07 '11 at 17:29
  • 1
    @Andreas - you're misunderstanding the problem. Your SPF record is fine (with some caveats - see BillThor's answer). Some part of your mail chain is inserting this header (probably because it is in debug mode). THAT is what you need to fix - Removing the SPF record is just going to mask the problem – voretaq7 Nov 07 '11 at 19:12
  • Thanks - but seriously - what part of my email chain could that be? I am just sending this from my google apps account? Nothing fancy at all... But I guess that maybe port25.com is in debug mode... – Andreas Nov 07 '11 at 19:16
  • Without knowing your setup (what servers mail goes through, what SMTP daemons, AV programs, spam filters, etc.) I couldn't even hazard a guess. Like @BillThor said, the name of the long header may give you some idea as to what is adding it to your message. – voretaq7 Nov 07 '11 at 19:23
0

Not sure if your question has already been answered elsewhere (it's been a couple months since you've posted this), but I was experiencing the same issue on my Google Apps account. I found that the DKIM signature header was the culprit, and if I had Google stop signing my mail, I got a lower overall SpamAssassin score (even though the DKIM signature was valid, the value of having a valid DKIM signature was outweighed by the penalty for having such a long header in my message).

Thought you might want to check into that. For reference, the DKIM settings for Google Apps are located in the Google Apps Control Panel under Advanced Tools / Authenticate Email / Set up email authentication (DKIM)

Justin Best
  • 63
  • 2
  • 5
  • Only older SA rule sets would catch a valid DKIM header as a "too long" header. I'd advise such sites to update their rule set. – Chris S Jan 25 '12 at 20:36