HOW TO: resolving SPF failures

Author Message
joestern

  • Total Posts : 321
  • Joined: 9/19/2003
  • Location: Philadelphia, PA
  • Status: offline
HOW TO: resolving SPF failures Thursday, February 28, 2008 4:24 PM (permalink)
Scenario: A trusted sender's e-mail is frequently getting stuck in the spam filter, despite sending from a whitelisted address.
 
Problem: GFI's SPF module is catching the mail. This is confirmed by logging.
 
Resolution:
 
Confirm the SPF failure
  1. Open the undelivered EML file using Outlook Express or Windows Live Mail client
  2. Go to File | Properties | Details to examine the message headers. They will resemble the following:

    X-Message-Delivery: Vj0zLjQuMDt1cz0wO2k9MDtsPTA7YT0w
    X-Message-Status: n:0
    X-SID-PRA: tickets@amtrak.com
    X-SID-Result: Pass
    X-Message-Info: R00BdL5giqp3aMGvVWevAm69Jf8ch420394M5Gl9DGd0IZk6hN5mNNEinDCMzNp6pYBG3MN+qXALtZgS3clY60dw6vlBzJZE
    Received: from mssdns46.ins.amtrak.com ([198.212.199.45]) by bay0-mc12-f9.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);
      Sun, 3 Feb 2008 06:12:56 -0800
    Received: from mssibap52p (mssibap52p.ins.amtrak.com [172.30.120.52])
     by mssdns46.ins.amtrak.com (8.13.7+Sun/8.13.7/DZ8.13.6 Amtrak Test Network Mail Server) with ESMTP id m13ECu2r005093
     for <luckyguy@yourcompany.com>; Sun, 3 Feb 2008 09:12:56 -0500 (EST)
    Message-ID: <16157949.1202047976741.JavaMail.ibadmin@mssibap52p>

  3. Identify the sender's address ( in this example, tickets@amtrak.com) and the first IP address listed in the headers (198.212.199.45)
  4. Go to http://www.kitterman.com/spf/validate.html and get the SPF record for the domain (v=spf1 ip4:198.212.199.45 mx ?all).
  5. Copy that SPF record to your clipboard, then return to the SPF checking tool
  6. Test the SPF record (the third form group on the page) and plug in the IP address, the SPF record and the mail from address to find out whether the message fails.

Notify the proper people of your discovery 

I look up the company's WHOIS information at https://secure.registerapi.com/services/whois.php and look for a techical contact e-mail and send them the information gathered in the steps above. It usually takes the form of this:

To Whom It May Concern:
An e-mail message from sender@company.com was trapped by our spam filter for problems with SPF. SPF is a authentication measure to ensure that e-mail purporting to be from company.com is authentic and not forged. The message in question was sent from IP address 14.2.22.7 but your SPF record hosted in DNS says that the only authorized mail server for your company has an address of 14.2.22.25.
 
[note: if the sending address is wildly different from the SPF record, but it's clearly a legitimate e-mail, then it may be a laptop user connecting from a coffee shop. This represents a different kind of problem.] 
 
You can learn more about how to set up an SPF record, including an easy-to-use wizard, at http://www.openspf.org/
 
You should fix this problem as soon as possible, as it's likely that a lot of your company's e-mail is ending up stuck in spam filters everywhere.

 
You may want to cc the original sender and the original recipient at your company on this message so they know it's not you that's preventing them from communicating.
 
Add the sender to your IP Whitelist
 
Finally, you may choose to add the sender's IP address to the IP Whitelist in MailEssentials. At that point it becomes officially not your problem. However, it's likely that you'll be the first good Samaritan to explain to a poor, confused SMB e-mail administrator exactly why so much of his or her e-mail is going to spam filters, and he or she will lean on you for help. You may want to hold off on adding the IP address to the whitelist so you can help them troubleshoot their problem.
 
- Joe Stern
Philadelphia, PA
 
 
 
 
#1
    Ytsejamer1

    • Total Posts : 157
    • Joined: 3/7/2006
    • Status: offline
    RE: HOW TO: resolving SPF failures Monday, April 20, 2009 8:38 PM (permalink)
    Has anyone had more SPF problems with more and more businesses using Google's mail service to forward their mail?  A few of our clients have and the SPF filter is catching a lot of them.  Verizon also has a mail service for businesses...those have been getting caught as well.

    When talking with IT reps at those clients they say we're the only one using this SPF filter.  I have mine set to default/medium.  Any other thoughts on this?
     
    #2
      RSP

      • Total Posts : 1774
      • Joined: 10/31/2006
      • Location: The East Riding of Yorkshire, UK
      • Status: offline
      RE: HOW TO: resolving SPF failures Monday, April 20, 2009 8:51 PM (permalink)
      It sounds like those IT reps are burrying their heads in the sand. SPF has been around for a long time.

      I disagree with GFI's recommendation of Medium here, as most IT people bury their heads in the sand when it comes to SPF. Very few understand it, so just don't bother. Of those few, most get it wrong. Therefore Low is better, as it doesn't get as many false-positives due to mis-configured records.

      I find that the SPF is best used to stop own-domain spam, but unfortunately it's either on or off for all domains.
       
      #3
        Ytsejamer1

        • Total Posts : 157
        • Joined: 3/7/2006
        • Status: offline
        RE: HOW TO: resolving SPF failures Monday, April 20, 2009 9:09 PM (permalink)
        Hey RSP...thanks for the suggestion.  I was toying with the idea of going to low, but wasn't entirely sure.  Hopefully that helps cut down on those false positives.  It'd be great if every company had their own mail server and IP address for it...but that's not the way it works unfortunately.

        Maybe GFI should work with the mail service providers such as Google, Verizon, etc, and develop some type of safe SPF list.  Probably not logistically possible though.
         
        #4
          RSP

          • Total Posts : 1774
          • Joined: 10/31/2006
          • Location: The East Riding of Yorkshire, UK
          • Status: offline
          RE: HOW TO: resolving SPF failures Monday, April 20, 2009 10:36 PM (permalink)

          ORIGINAL: Ytsejamer1

          Hey RSP...thanks for the suggestion.  I was toying with the idea of going to low, but wasn't entirely sure.

          Unfortunately most people use ~all, which is SoftFail and caught by a medium setting

          It'd be great if every company had their own mail server and IP address for it...but that's not the way it works unfortunately.

          That's what the include directive is for, but often not used correctly. I think the SPF specification needs to be updated, as it only provides for 10 lookups which seems inadequate these days.


          Maybe GFI should work with the mail service providers such as Google, Verizon, etc, and develop some type of safe SPF list.  Probably not logistically possible though.

          Nice thought, but unlikely to happen. There is the Trusted Forwarder option in the SPF module which is supposed to do just that, but I've found it can be abused resulting in false-negatives.
           
          #5
            Online Bookmarks Sharing: Share/Bookmark

            Jump to:

            Current active users

            There are 0 members and 3 guests.

            Icon Legend and Permission

            • New Messages
            • No New Messages
            • Hot Topic w/ New Messages
            • Hot Topic w/o New Messages
            • Locked w/ New Messages
            • Locked w/o New Messages
            • Read Message
            • Post New Thread
            • Reply to message
            • Post New Poll
            • Submit Vote
            • Post reward post
            • Delete my own posts
            • Delete my own threads
            • Rate post

            2000-2017 ASPPlayground.NET Forum Version 3.9