2

Our server has been receiving abuse reports from Hotmail, because of an auth-failure. One of our sending servers has been blacklisted and Hotmail is refusing delisting. We have investigated a lot, and maybe the error on the SPF record might be the cause. But Hotmail isn't providing any userfull feedback, apart from 'abuse reports' on another (non-blacklisted) server.

Feedback-Type: auth-failure
User-Agent: XMR/2.2
Version: 1.0
Original-Mail-From: <civibounces@sp.nl>
Arrival-Date: Tue, 29 Sep 2015 22:49:33 -0700
Message-ID: <20150930054907.CCF531814A5@dccivicrm.sp.nl>
Authentication-Results: hotmail.com; spf=permerror (sender IP is 82.94.240.218; identity alignment result is pass and alignment mode is relaxed) smtp.mailfrom=civibounces@sp.nl; dkim=none (identity alignment result is pass and alignment mode is relaxed) header.d=sp.nl; x-hmca=none header.id=ledendag@sp.nl
Source-IP: 82.94.240.218
Reported-Domain: sp.nl
DKIM-Domain: sp.nl

But when I test the SPF record (http://tools.bevhost.com/spf/), the combination appears to be valid. So I'm wondering if these are false positives by Hotmail, or if there is something else I'm overlooking.

The diagnostic tool appears to find two(?) identical SPF records:

v=spf1 ip4:82.94.240.192/27 ip4:87.213.30.192/29 a mx a:mail.sp.nl a:listserver.sp.nl a:aegir.sp.nl a:www.sp.nl a:mail1.parlement.nl a:mail2.parlement.nl ip4:164.138.29.230 ~all
SDKKR
  • 35
  • 4

1 Answers1

3

I see two records, and worse, they are not identical:

;; ANSWER SECTION:
sp.nl.                  3600    IN      TXT     "v=spf1  ip4:82.94.240.192/27 ip4:87.213.30.192/29 a mx a:mail.sp.nl a:listserver.sp.nl a:aegir.sp.nl a:www.sp.nl a:mail1.parlement.nl a:mail2.parlement.nl ip4:164.138.29.230 ~all"
sp.nl.                  3600    IN      TXT     "v=spf1  ip4:82.94.240.192/27 ip4:87.213.30.192/29 a mx a:mail.sp.nl a:gazpacho.sp.nl a:listserver.sp.nl a:aegir.sp.nl a:www.sp.nl a:mail1.parlement.nl a:mail2.parlement.nl ~all"

I have highlighted the difference that I see. Given that RFC 4408 makes it fairly clear that you should only have one SPF record, I can see how two different records would confuse some receivers.

Work out what should be in your record, and make sure there's only one of it.

And while you're at it, make sure you've listed all your servers, then terminate your record with -all; ~all is completely pointless as an SPF policy, and in some cases worse than useless (some admins here consider it a sign of an actively-spammy sender).

Community
  • 1
MadHatter
  • 78,442
  • 20
  • 178
  • 229
  • This was helpful, thanks! We also discovered a 'Duplicate netblock authorization' in the SPF. With this [diagnostic tool](https://dmarcian.com/spf-survey) - (Still blacklisted though, and waiting for a response from Microsoft). – SDKKR Sep 30 '15 at 09:35
  • Changing the ~all to -all is 'complicated'. As some of our users want their mail forwarded. – SDKKR Sep 30 '15 at 09:41
  • I agree; it's just that SPF is totally pointless if you *don't*. Noone cares which servers *should* send mail from you; we want to know which ones *shouldn't*, so we can reject it. You have to indicate that you have confidence in the completeness of your record by setting `-all`. If that requires changing your users' behaviour, then it's time to start doing so - or don't bother with SPF, and save yourself some hassle. – MadHatter Sep 30 '15 at 09:43
  • 1
    ~all is good in staged deployment if you are using dmarc to control reject vs quarantine, most forwarders ignore SPF anyway – Jacob Evans Oct 01 '15 at 04:05