Setting up an SPF record for a shared hosting service with lots of email gateways

domain-name-systemshared-hostingspfspoofing

My website is on a Hostgator shared host, and I need to set up SPF for my email so my outgoing emails won't get bounced. So, I have to add a TXT record to the DNS for my domain, listing all possible senders of my domain's email. Shouldn't be a big deal, right?

Unfortunately, I found that Hostgator routes outgoing email from shared hosts through multiple email gateway servers, all with domains in the format gatewayXX.websitewelcome.com for some two-digit XX. So, I started sending test emails to myself, adding new servers as I found them. After finding six of them, I had the following SPF record…

v=spf1 +a +mx +ip4:50.87.144.137 +a:gateway33.websitewelcome.com +a:gateway26.websitewelcome.com +a:gateway20.websitewelcome.com +a:gateway24.websitewelcome.com +a:gateway22.websitewelcome.com +a:gateway36.websitewelcome.com ~all

… and kept finding more.

I finally wrote a script that went through the one hundred possible domains in the above format, and found that 28 of them existed, mapping to a total of 705 IP addresses. Nope: can't have that many domains in my SPF record, as it would be too many DNS lookups as well as just too many characters.

How do I accomplish this? Must I scan the 705 IP addresses and figure out what CIDR-notated networks cover them all? Am I then giving permission for anyone hosted at Hostgator to spoof my domain name in their outgoing mail? Is there a completely different approach I should take to this? Or should I be looking for a different hosting setup with a small number of publicly visible outgoing email servers?

Best Answer

You could have saved yourself a lot of time by just searching the hostgator support site. :)

From the above linked page:

v=spf1 a mx include:websitewelcome.com ~all

Related Solutions

SPF records for SMTP service

In order for SPF to be any real benefit, you need to aim for a -all default action. To do this you need to ALWAYS use your designated mail servers to handle your mail, which isn't too hard, but means in particular that home users can't use their ISPs mail servers, which in turn means they need to use SSL/TLS (or non-standard ports) as so many ISPs block port 25 other than to their own servers.

It's considered courteous to list explicit IPs first since they require no addtional DNS lookups (so they're faster too) and SPF rules are evaluated left to right. For a single IP, you don't need the /32 on the end as that's implicit. All in all,

v=spf1 ip4:45.23.77.65 include:_spf.google.com -all

Having done that, create a SenderID record containing this:

spf2.0/pra

This says that you don't publish any "purported responsible address" records (which are somewhat broken anyway), but also makes SenderID defer to SPF for permitted mail sources. This syntax is functionaly identical to the suggested spf2.0/pra ?all that Microsoft's somewhat buggy wizard will suggest. When you're done, register your domain with Microsoft. This will mean that hotmail and friends subscribe to your DNS explicitly, again helping mail get delivered faster.

I'd steer clear of MS' wizard for spf1 records; the openspf one is more reliable. Remember that SenderID (a.k.a. SPF 2.0) does not in any way replace or obsolete standard SPF; you should use both (and DKIM while you're at it, though that's harder).

Email sent from server with rDNS & SPF being blocked by Hotmail

Your title says your email is being blocked by hotmail.com but in one of your comments to Stony's answer you state that your SMTP log shows "RCPT=OK" and "RECV=OK" when sending email to hotmail.com. That in and of itself should be telling you that your email is not being blocked. It's being accepted by hotmail.com and is most likely being filtered after being accepted. there's a difference between an email being blocked/rejected and being filtered after being accepted.

You state that you can't telnet to port 25 of mail.hotmail.com. That's because mail.hotmail.com is not an MX for hotmail.com. A quick nslookup shows the following MX records for hotmail.com: mx1.hotmail.com, mx2.hotmail.com, mx3.hotmail.com, and mx4.hotmail.com.

You state that you can't ping hotmail.com but you can ping gmail.com. It's irrelevant whether or not you can ping hotmail.com or any other server, name, web site, etc. The ping tool doesn't test the availability of a service (web, email, etc). The fact that you can't ping hotmail.com only means that the hosts that hotmail.com resolve to don't respond to pings or that a firewall is blocking those pings. It's totally irrelevant to the problem. In addition, pinging hotmail.com has nothing to do with the MX records for hotmail.com. Hotmail.com is the domain name and pinging hotmail.com is pinging the A records configured for that domain name. When you ping gmail.com you're pinging the A record for that domain name, you're not pinging the MX records for gmail.com.

Have a look at the Hotmail Postmaster page here to see if there's anything you need to look in to:

http://mail.live.com/mail/troubleshooting.aspx

Best Answer

Related Solutions

SPF records for SMTP service

Email sent from server with rDNS & SPF being blocked by Hotmail

Related Topic