Proper SPF record

spf

Our company emails are usually treated as spam. When we checked our score on Spamassassin, our score was pretty bad, 3.3 and the main reason was our SPF record.

We would like to update our SPF record so that we resolve this issue. However, we are not very familiar with SPF records, so we would like to get your help:

Our outside third party mail server uses three SMTP servers (let's call them 1.1.1.1, 2.2.2.2 and 3.3.3.3). Our mx is forwarded to 4.4.4.4. Currently, our mx record is the following:

v=spf1 +a +mx +ip4:1.1.1.1 +ip4:2.2.2.2 +ip4:3.3.3.3 ~all

When we tested our email, we have received the following info from mail-tester.com:

softfail
domain.com.tr: Sender is not authorized by default to use 'aaa.aaa@domain.com.tr' in 'mfrom' identity, however domain is not currently prepared for false failures (mechanism '~all' matched)

domain.com.tr: Sender is not authorized by default to use 'aaa.aaa@domain.com.tr' in 'mfrom' identity, however domain is not currently prepared for false failures (mechanism '~all' matched)

Received-SPF: softfail (domain.com.tr: Sender is not authorized by default to use 'aaa.aaa@domain.com.tr' in 'mfrom' identity, however domain is not currently prepared for false failures (mechanism '~all' matched)) receiver=ns303428.ip-94-23-206.eu; identity=mailfrom; envelope-from="aaa.aaa@domain.com.tr"; helo=smtp.54.36.145.12.eu01.server.plus; client-ip=54.36.145.12

Any help would be appreciated!

Best Answer

Your SPF record for the sending domain should read something like "v=spf1 a mx include:_spf.example.com ~all". Replace "_spf.example.com" with the domain for your vendor's SPF record. If they don't have one, switch vendors. Specify IP addresses if you need them as "ipv4:192.0.2.4" or "ipv4:192.0.2.64/28".

I would recommend SPF records for all your domains. Use "v=spf1 a -all" for your mail server domains and "v=spf1 -all" for all other domains not used in email addresses. The mail server domain should not be appearing in email addressses so it won't have an MX record. But the mail server will be sending mail so it needs the A record to allow host validationn to succeed. (Host valiation is a secondary use of SPF records and is used to verify that the mail server is allowed to send email rather than verifying the email address.)

Consider using a separate domain for email addresses in mail sent by your 3rd party mailer. It should have the appropriate SPF record which might not include your mail server. You can then shorten your SPF record for your domain to "v=spf1 a ~all".

I do recommend that you get to the point where you can use "-all" on the domain you use for corporate communications as soon as possible.

You should also look at implementing DKIM and DMARC as well. Once you have DMARC running you can get automated feedback on your reputation from several large email sites.

Related Solutions

Email sent from server with rDNS & SPF being blocked by Hotmail

Your title says your email is being blocked by hotmail.com but in one of your comments to Stony's answer you state that your SMTP log shows "RCPT=OK" and "RECV=OK" when sending email to hotmail.com. That in and of itself should be telling you that your email is not being blocked. It's being accepted by hotmail.com and is most likely being filtered after being accepted. there's a difference between an email being blocked/rejected and being filtered after being accepted.

You state that you can't telnet to port 25 of mail.hotmail.com. That's because mail.hotmail.com is not an MX for hotmail.com. A quick nslookup shows the following MX records for hotmail.com: mx1.hotmail.com, mx2.hotmail.com, mx3.hotmail.com, and mx4.hotmail.com.

You state that you can't ping hotmail.com but you can ping gmail.com. It's irrelevant whether or not you can ping hotmail.com or any other server, name, web site, etc. The ping tool doesn't test the availability of a service (web, email, etc). The fact that you can't ping hotmail.com only means that the hosts that hotmail.com resolve to don't respond to pings or that a firewall is blocking those pings. It's totally irrelevant to the problem. In addition, pinging hotmail.com has nothing to do with the MX records for hotmail.com. Hotmail.com is the domain name and pinging hotmail.com is pinging the A records configured for that domain name. When you ping gmail.com you're pinging the A record for that domain name, you're not pinging the MX records for gmail.com.

Have a look at the Hotmail Postmaster page here to see if there's anything you need to look in to:

http://mail.live.com/mail/troubleshooting.aspx

How to define TXT SPF record with multiple senders

Their web server, the A record at bigcommerce.com (which resolves to 74.86.55.170) isn't necessarily the source of email from their network.

Their SPF record at _spf.bigcommerce.com specifies the following networks as allowed senders:

v=spf1 ip4:174.37.85.64/28 ip4:75.126.150.248/30 ip4:63.141.144.128/28

So, their web server failed validation because it's not allowed to send; all is well there.

As to the change that you've made - that's an invalid CIDR network definition. Some validators will be ok with it, others may not; I'd recommend changing it to ip4:74.115.204.0/24 (or just ip4:74.115.204.1 if you only need to allow that one address) for a final record of:

v=spf1 a mx include:_spf.bigcommerce.com ip4:74.115.204.0/24 -all

Best Answer

Related Solutions

Email sent from server with rDNS & SPF being blocked by Hotmail

How to define TXT SPF record with multiple senders

Related Topic