|
joestern -> HOW TO: resolving SPF failures (28.Feb.2008 9:24:19 AM)
|
Scenario: A trusted sender's e-mail is frequently getting stuck in the spam filter, despite sending from a whitelisted address.
Problem: GFI's SPF module is catching the mail. This is confirmed by logging.
Resolution:
Confirm the SPF failure
- Open the undelivered EML file using Outlook Express or Windows Live Mail client
- Go to File | Properties | Details to examine the message headers. They will resemble the following:
quote:
X-Message-Delivery: Vj0zLjQuMDt1cz0wO2k9MDtsPTA7YT0w
X-Message-Status: n:0
X-SID-PRA: tickets@amtrak.com
X-SID-Result: Pass
X-Message-Info: R00BdL5giqp3aMGvVWevAm69Jf8ch420394M5Gl9DGd0IZk6hN5mNNEinDCMzNp6pYBG3MN+qXALtZgS3clY60dw6vlBzJZE
Received: from mssdns46.ins.amtrak.com ([198.212.199.45]) by bay0-mc12-f9.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);
Sun, 3 Feb 2008 06:12:56 -0800
Received: from mssibap52p (mssibap52p.ins.amtrak.com [172.30.120.52])
by mssdns46.ins.amtrak.com (8.13.7+Sun/8.13.7/DZ8.13.6 Amtrak Test Network Mail Server) with ESMTP id m13ECu2r005093
for <luckyguy@yourcompany.com>; Sun, 3 Feb 2008 09:12:56 -0500 (EST)
Message-ID: <16157949.1202047976741.JavaMail.ibadmin@mssibap52p>
- Identify the sender's address ( in this example, tickets@amtrak.com) and the first IP address listed in the headers (198.212.199.45)
- Go to http://www.kitterman.com/spf/validate.html and get the SPF record for the domain (v=spf1 ip4:198.212.199.45 mx ?all).
- Copy that SPF record to your clipboard, then return to the SPF checking tool
- Test the SPF record (the third form group on the page) and plug in the IP address, the SPF record and the mail from address to find out whether the message fails.
Notify the proper people of your discovery
I look up the company's WHOIS information at https://secure.registerapi.com/services/whois.php and look for a techical contact e-mail and send them the information gathered in the steps above. It usually takes the form of this:quote:
To Whom It May Concern:
An e-mail message from sender@company.com was trapped by our spam filter for problems with SPF. SPF is a authentication measure to ensure that e-mail purporting to be from company.com is authentic and not forged. The message in question was sent from IP address 14.2.22.7 but your SPF record hosted in DNS says that the only authorized mail server for your company has an address of 14.2.22.25.
[note: if the sending address is wildly different from the SPF record, but it's clearly a legitimate e-mail, then it may be a laptop user connecting from a coffee shop. This represents a different kind of problem.]
You can learn more about how to set up an SPF record, including an easy-to-use wizard, at http://www.openspf.org/
You should fix this problem as soon as possible, as it's likely that a lot of your company's e-mail is ending up stuck in spam filters everywhere.
You may want to cc the original sender and the original recipient at your company on this message so they know it's not you that's preventing them from communicating.
Add the sender to your IP Whitelist
Finally, you may choose to add the sender's IP address to the IP Whitelist in MailEssentials. At that point it becomes officially not your problem. However, it's likely that you'll be the first good Samaritan to explain to a poor, confused SMB e-mail administrator exactly why so much of his or her e-mail is going to spam filters, and he or she will lean on you for help. You may want to hold off on adding the IP address to the whitelist so you can help them troubleshoot their problem.
- Joe Stern
Philadelphia, PA
|
|
|
|