Results 1 to 5 of 5
  1. #1
    Join Date
    Feb 2005
    Location
    Galway, Ireland
    Posts
    33

    * What's wrong with my SPF record?

    Hi gurus,

    I hope you can help me to figure out where the problem with my SPF is, it seems to be correct to me. Even vast majority of SPF testing tools tells me it's correct, but there are few that show SOFTFAIL. I wouldn't worry me too much if every email sent to hotmail.com didn't show on top small warning: "The sender of this message, [email protected], could not be verified by Sender ID. Learn more about Sender ID."

    - IP of get-gifts-for-free.com domain is on 209.59.181.165
    - All emails is sent from 209.59.181.105 and headers say (HELLO host.motylonline.com) which is fine, 209.59.181.105 is base IP of this server and hostname is set to host.motylonline.com
    - Reverse DNS for 209.59.181.105 is set to ns1.motylonline.com
    - The SPF record for get-gifts-for-free.com is:
    "v=spf1 a mx mx:mail.get-gifts-for-free.com mx:get-gifts-for-free.com mx:host.motylonline.com mx:ns1.motylonline.com ptr:ns1.motylonline.com ip4:209.59.181.105 ip4:209.59.181.165 ~all"

    I keep trying different SPF records for 2 days now but without success

    For example any email sent to testing address [email protected] returns:

    ==========================================================
    Summary of Results
    ==========================================================

    mail-from check: softfail
    PRA check: softfail
    DomainKeys check: neutral (message not signed)


    ==========================================================
    Details:
    ==========================================================

    HELO hostname: host.motylonline.com
    Source IP: 209.59.181.105
    mail-from: [email protected]
    PRA Header: from
    PRA: [email protected]



    SPF TXT record/s:
    v=spf1 a mx mx:mail.get-gifts-for-free.com mx:get-gifts-for-free.com mx:host.motylonline.com ptr:ns1.motylonline.com ip4:209.59.181.105 ip4:209.59.181.165 ~all

    PRA TXT record/s:
    v=spf1 a mx mx:mail.get-gifts-for-free.com mx:get-gifts-for-free.com mx:host.motylonline.com ptr:ns1.motylonline.com ip4:209.59.181.105 ip4:209.59.181.165 ~all

    Domain Key TXT record:
    None

    ==========================================================
    Explanation of the possible results:
    ==========================================================

    "pass"
    means the client IP is a designated mailer for the sender.
    The mail should be accepted subject to local policy regarding
    the sender.

    "fail"
    means the client IP is not a designated mailer, and the sender
    wants you to reject the transaction for fear of forgery.

    "softfail"
    means the client IP is not a designated mailer, but the
    sender prefers that you accept the transaction because it isn't
    absolutely sure all its users are mailing through approved
    servers. The "softfail" status is often used during initial
    deployment of SPF records by a domain.

    "neutral"
    means the sender makes no assertion about the status of the
    client IP.

    "none"
    means that there is no SPF record for this domain.

    "unknown"
    means the domain has a configuration error in the published
    data or defines a mechanism which this tool does not (yet) know
    about. If the data contained an unrecognized mechanism, it
    will be presented following "unknown".

    "error"
    means the DNS lookup encountered a temporary error
    during processing.
    Another testing system returns:
    An email system which uses SPF rejected a message claiming to be from [email protected]

    An email system which uses SPF saw a message coming from the IP address 209.59.181.105 which is ns1.motylonline.com; the sender claimed to be [email protected]

    ns1.motylonline.com is approved for get-gifts-for-free.com, so that mail should have been accepted.

    What should I do?

    Wait a while, then try sending the message again. It should go through this time.
    Even though it says Wait a while, then try sending the message again. It should go through this time. it simply doesn't work no matter how many times I try.

    There are numerous other tests that accepted email just fine and are happy with SPF record.
    See example below:
    This service runs at <[email protected]> and allows remote users
    to perform a simple, automated test to see if different Sender
    Authentication schemes are working. Mail sent to this service
    is checked by our Sender Authentication filters for any valid
    credentials or signatures. A script receives the message, checks
    for a special header with the results of the tests, and composes
    this response message based on what it finds.

    For more information about Sender Authentication, please visit:

    http://sendmail.net/

    We hope this service has been helpful to you.

    Authentication System: Domain Keys
    Result: (no result present)
    Reporting host:
    More information: http://antispam.yahoo.com/domainkeys
    Sendmail milter: http://www.sendmail.net/dk-milter

    Authentication System: Sender ID
    Result: SID data confirmed GOOD
    Description: Sending host is authorized for sending domain
    Reporting host: sendmail.net
    More information: http://www.microsoft.com/senderid
    Sendmail milter: http://www.sendmail.net/sid-milter

    Authentication System: Sender Permitted From (SPF)
    Result: SPF data confirmed GOOD
    Description: Sending host is authorized for sending domain
    Reporting host: sendmail.net
    More information: http://spf.pobox.com/
    And another passed test:
    SPF lookup of sender [email protected] from IP 209.59.181.105:

    SPF string used: v=spf1 a mx mx:mail.get-gifts-for-free.com mx:get-gifts-for-free.com mx:host.motylonline.com mx:ns1.motylonline.com ptr:ns1.motylonline.com ip4:209.59.181.105 ip4:209.59.181.165 ~all.

    Processing SPF string: v=spf1 a mx mx:mail.get-gifts-for-free.com mx:get-gifts-for-free.com mx:host.motylonline.com mx:ns1.motylonline.com ptr:ns1.motylonline.com ip4:209.59.181.105 ip4:209.59.181.165 ~all.
    Testing 'a' on IP=209.59.181.105, target domain get-gifts-for-free.com, CIDR 32, default=PASS. No match.
    Testing 'mx' on IP=209.59.181.105, target domain get-gifts-for-free.com, CIDR 32, default=PASS. MATCH!
    Testing 'mx:mail.get-gifts-for-free.com' on IP=209.59.181.105, target domain mail.get-gifts-for-free.com, CIDR 32, default=PASS.
    Testing 'mx:get-gifts-for-free.com' on IP=209.59.181.105, target domain get-gifts-for-free.com, CIDR 32, default=PASS.
    Testing 'mx:host.motylonline.com' on IP=209.59.181.105, target domain host.motylonline.com, CIDR 32, default=PASS.
    Testing 'mx:ns1.motylonline.com' on IP=209.59.181.105, target domain ns1.motylonline.com, CIDR 32, default=PASS.
    Testing 'ptr:ns1.motylonline.com' on IP=209.59.181.105, target domain ns1.motylonline.com, CIDR 32, default=PASS.
    Testing 'ip4:209.59.181.105' on IP=209.59.181.105, target domain 209.59.181.105, CIDR 32, default=PASS.
    Testing 'ip4:209.59.181.165' on IP=209.59.181.105, target domain 209.59.181.165, CIDR 32, default=PASS.
    Testing 'all' on IP=209.59.181.105, target domain get-gifts-for-free.com, CIDR 32, default=SOFTFAIL.

    Result: PASS


    Possible Results:

    * Pass - This IP is authorized to send E-mail from this domain.
    * Fail - This IP is not authorized to send E-mail from this domain
    * SoftFail - This IP probably is not authorized to send E-mail from this domain, but the domain owners are not certain
    * Neutral - The domain does not know if the IP is allowed to send E-mail or not.
    * TempError - A temporary error occurred. The E-mail should be retried later.
    * PermError - A permanent error was encountered. The E-mail should be rejected.
    * None - No SPF record was found. It cannot be determined if the IP is allowed to send E-mail from this domain.

    PLEASE HELP if you have any ideas of what might be wrong.

    Thanks a million,
    Motyl

  2. #2
    Join Date
    Nov 2003
    Location
    India
    Posts
    152
    Hello
    I'm not using SPF, but the site below might help:

    http://spf.pobox.com/wizard.html

    It helps you generate SPF record, so you might be able to generate a new SPF record or compare it with your existing record.

    Regards

  3. #3
    Greetings:

    Please consider taking the KISS --- keep it simple, smile -- approach.

    1. Review http://spf.pobox.com/mechanisms.html

    2. From what I can tell from http://www.dnsreport.com/tools/dnsre...s-for-free.com

    A. Fix your HELO greeting on the SMTP server; otherwise spam assassin will claim a forgery. See the "Mail server host name in greeting" warning.

    B. v=spf1 a mx ~a

    Should do the trick for you for a start moving to

    v=spf1 a mx -a

    When you are sure everything is correct.

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

  4. #4
    Join Date
    Feb 2005
    Location
    Galway, Ireland
    Posts
    33
    Thanks for good answers guys!

    Dynamicnet, if I set Reverse IP for 209.59.181.105 to host.motylonline.com then will it be working fine (even for spam assasin?)

    The currect setup is:
    - All emails is sent from 209.59.181.105 and headers say (HELLO host.motylonline.com) which is fine, 209.59.181.105 is base IP of this server and hostname is set to host.motylonline.com
    - Reverse DNS for 209.59.181.105 is set to ns1.motylonline.com

    I guess you see a problem in Reverse IP set to ns1.... and not host....
    I've asked the hosting provider to update PTR now.



    I've also checked dnstools results you were talking about. Yes I see that HELLO says host.motylonline.com even though email was sent for get-gifts-for-free.com. The same happens for all other domains hosted by this server. I hope this shouldn't be a problem, I think 95% of "shared hosting" providers have the same setup. Here are results for 2 domains:

    get-gifts-for-free.com claims to be host host.motylonline.com [but that host is at 209.59.181.105, not 209.59.181.165].

    goingforfree.com claims to be host host.motylonline.com [but that host is at 209.59.181.105, not 209.59.181.107].

    Can I leave it or should it be changed somehow?

    THANKS VERY MUCH FOR HELP!!!
    Motyl

  5. #5
    Join Date
    Jul 2003
    Location
    Castle Pines, CO
    Posts
    7,189
    Are you on a UNIX or Windows server? It is my understanding that Windows servers do not need the quotes, while UNIX does. I worked on getting mine tweaked as well.

    I agree with dynamicnet - keep it simple. Here is the one that I use and it seems to be working. I have tested it with other companies that use SPF and it works and www.dnsstuff.com seems to like it also:
    Code:
    v=spf1 ip4:xx.xx.xx.xxx a:servername.example.com -all
    Where xx.xx.xx.xxx is the IP address of the mail server

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •