Forums  Register  Login  My Profile  Inbox  Address Book  My Subscription  My Forums 

Member List  Search  FAQ  Ticket List  Log Out

 

HOW TO: resolving SPF failures

  		Logged in as: Guest
Users viewing this topic: none
  Printable Version
All Forums >> [Web & Mail Security] >> GFI MailEssentials >> HOW TO: resolving SPF failures Page: [1]
Login
Message << Older Topic   Newer Topic >>
HOW TO: resolving SPF failures - 28.Feb.2008 9:24:19 AM   
joestern

 

Posts: 279
Joined: 18.Sep.2003
From: Philadelphia, PA
Status: offline 		Scenario: A trusted sender's e-mail is frequently getting stuck in the spam filter, despite sending from a whitelisted address.

Problem: GFI's SPF module is catching the mail. This is confirmed by logging.

Resolution:

Confirm the SPF failure
  1. Open the undelivered EML file using Outlook Express or Windows Live Mail client
  2. Go to File | Properties | Details to examine the message headers. They will resemble the following:
    quote:

    X-Message-Delivery: Vj0zLjQuMDt1cz0wO2k9MDtsPTA7YT0w
    X-Message-Status: n:0
    X-SID-PRA: tickets@amtrak.com
    X-SID-Result: Pass
    X-Message-Info: R00BdL5giqp3aMGvVWevAm69Jf8ch420394M5Gl9DGd0IZk6hN5mNNEinDCMzNp6pYBG3MN+qXALtZgS3clY60dw6vlBzJZE
    Received: from mssdns46.ins.amtrak.com ([198.212.199.45]) by bay0-mc12-f9.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);
    Sun, 3 Feb 2008 06:12:56 -0800
    Received: from mssibap52p (mssibap52p.ins.amtrak.com [172.30.120.52])
    by mssdns46.ins.amtrak.com (8.13.7+Sun/8.13.7/DZ8.13.6 Amtrak Test Network Mail Server) with ESMTP id m13ECu2r005093
    for <luckyguy@yourcompany.com>; Sun, 3 Feb 2008 09:12:56 -0500 (EST)
    Message-ID: <16157949.1202047976741.JavaMail.ibadmin@mssibap52p>

  3. Identify the sender's address ( in this example, tickets@amtrak.com) and the first IP address listed in the headers (198.212.199.45)
  4. Go to http://www.kitterman.com/spf/validate.html and get the SPF record for the domain (v=spf1 ip4:198.212.199.45 mx ?all).
  5. Copy that SPF record to your clipboard, then return to the SPF checking tool
  6. Test the SPF record (the third form group on the page) and plug in the IP address, the SPF record and the mail from address to find out whether the message fails.

Notify the proper people of your discovery 

I look up the company's WHOIS information at https://secure.registerapi.com/services/whois.php and look for a techical contact e-mail and send them the information gathered in the steps above. It usually takes the form of this:
quote:

To Whom It May Concern:
An e-mail message from sender@company.com was trapped by our spam filter for problems with SPF. SPF is a authentication measure to ensure that e-mail purporting to be from company.com is authentic and not forged. The message in question was sent from IP address 14.2.22.7 but your SPF record hosted in DNS says that the only authorized mail server for your company has an address of 14.2.22.25.

[note: if the sending address is wildly different from the SPF record, but it's clearly a legitimate e-mail, then it may be a laptop user connecting from a coffee shop. This represents a different kind of problem.] 

You can learn more about how to set up an SPF record, including an easy-to-use wizard, at http://www.openspf.org/

You should fix this problem as soon as possible, as it's likely that a lot of your company's e-mail is ending up stuck in spam filters everywhere.


You may want to cc the original sender and the original recipient at your company on this message so they know it's not you that's preventing them from communicating.

Add the sender to your IP Whitelist
 
Finally, you may choose to add the sender's IP address to the IP Whitelist in MailEssentials. At that point it becomes officially not your problem. However, it's likely that you'll be the first good Samaritan to explain to a poor, confused SMB e-mail administrator exactly why so much of his or her e-mail is going to spam filters, and he or she will lean on you for help. You may want to hold off on adding the IP address to the whitelist so you can help them troubleshoot their problem.

- Joe Stern
Philadelphia, PA


Post #: 1
RE: HOW TO: resolving SPF failures - 20.Apr.2009 1:38:16 PM   
Ytsejamer1

 

Posts: 136
Joined: 7.Mar.2006
Status: offline 		Has anyone had more SPF problems with more and more businesses using Google's mail service to forward their mail?  A few of our clients have and the SPF filter is catching a lot of them.  Verizon also has a mail service for businesses...those have been getting caught as well.

When talking with IT reps at those clients they say we're the only one using this SPF filter.  I have mine set to default/medium.  Any other thoughts on this?

(in reply to joestern)
Post #: 2
RE: HOW TO: resolving SPF failures - 20.Apr.2009 1:51:50 PM   
RSP

 

Posts: 1447
Joined: 31.Oct.2006
From: The East Riding of Yorkshire, UK
Status: offline 		It sounds like those IT reps are burrying their heads in the sand. SPF has been around for a long time.

I disagree with GFI's recommendation of Medium here, as most IT people bury their heads in the sand when it comes to SPF. Very few understand it, so just don't bother. Of those few, most get it wrong. Therefore Low is better, as it doesn't get as many false-positives due to mis-configured records.

I find that the SPF is best used to stop own-domain spam, but unfortunately it's either on or off for all domains.

(in reply to Ytsejamer1)
Post #: 3
RE: HOW TO: resolving SPF failures - 20.Apr.2009 2:09:08 PM   
Ytsejamer1

 

Posts: 136
Joined: 7.Mar.2006
Status: offline 		Hey RSP...thanks for the suggestion.  I was toying with the idea of going to low, but wasn't entirely sure.  Hopefully that helps cut down on those false positives.  It'd be great if every company had their own mail server and IP address for it...but that's not the way it works unfortunately.

Maybe GFI should work with the mail service providers such as Google, Verizon, etc, and develop some type of safe SPF list.  Probably not logistically possible though.

(in reply to RSP)
Post #: 4
RE: HOW TO: resolving SPF failures - 20.Apr.2009 3:36:55 PM   
RSP

 

Posts: 1447
Joined: 31.Oct.2006
From: The East Riding of Yorkshire, UK
Status: offline
quote:

ORIGINAL: Ytsejamer1

Hey RSP...thanks for the suggestion.  I was toying with the idea of going to low, but wasn't entirely sure.

Unfortunately most people use ~all, which is SoftFail and caught by a medium setting
quote:

It'd be great if every company had their own mail server and IP address for it...but that's not the way it works unfortunately.

That's what the include directive is for, but often not used correctly. I think the SPF specification needs to be updated, as it only provides for 10 lookups which seems inadequate these days.

quote:

Maybe GFI should work with the mail service providers such as Google, Verizon, etc, and develop some type of safe SPF list.  Probably not logistically possible though.

Nice thought, but unlikely to happen. There is the Trusted Forwarder option in the SPF module which is supposed to do just that, but I've found it can be abused resulting in false-negatives.

(in reply to Ytsejamer1)
Post #: 5
Page:   [1]
All Forums >> [Web & Mail Security] >> GFI MailEssentials >> HOW TO: resolving SPF failures Page: [1]
Jump to:





New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts