Discussion:
SPF & SenderID
Phil Ewington - 43 Plc
2006-10-30 11:23:53 UTC
Permalink
Hi All,

I am looking at improving the SPF records I have and have a couple of
questions that I would like to put to you guys....

1) I use sub domains for sending mail for a domain, should I set all the
sub domain information within the main domain record or should an SPF
record exist for each sub domain I use, maybe even a record for the main
domain and one for each sub domain?

2) I have read about Hotmail using SenderID for authenticating a sending
mail server, after looking this up, Microsoft have a wizard to create
the SPF record with SenderID, however this creates a standard SPF v 1.0
record as does the OpenSPF wizard. I have read however that SenderID is
specifically done by using SPF 2.0 beginning with with the syntax....

spf2.0/mfrom,pra

Any help offered will be greatly appreciated.


TIA

Phil Ewington.
Scott Kitterman
2006-10-30 12:16:05 UTC
Permalink
Post by Phil Ewington - 43 Plc
Hi All,
I am looking at improving the SPF records I have and have a couple of
questions that I would like to put to you guys....
1) I use sub domains for sending mail for a domain, should I set all the
sub domain information within the main domain record or should an SPF
record exist for each sub domain I use, maybe even a record for the main
domain and one for each sub domain?
SPF is specific to the exact (sub) domain being used, so each would need it's
own record. Depending on what you want to do, you might put all your actual
record content in the main domain record and then have each subdomain
redirect to the main domain, e.g.:

subdomain.example.com IN TXT "v=spf1 redirect=example.com"

This would simplify record upkeep.
Post by Phil Ewington - 43 Plc
2) I have read about Hotmail using SenderID for authenticating a sending
mail server, after looking this up, Microsoft have a wizard to create
the SPF record with SenderID, however this creates a standard SPF v 1.0
record as does the OpenSPF wizard. I have read however that SenderID is
specifically done by using SPF 2.0 beginning with with the syntax....
spf2.0/mfrom,pra
Any help offered will be greatly appreciated.
First, there are clearly some oddities about what Hotmail does that can only
be explained by Hotmail. Second, SID will use a v=spf1 record if no spf2.0
record is available. There is more info here:

http://new.openspf.org/SPF_vs_Sender_ID

Scott K
Phil Ewington - 43 Plc
2006-10-31 12:43:58 UTC
Permalink
Post by Scott Kitterman
Post by Phil Ewington - 43 Plc
2) I have read about Hotmail using SenderID for authenticating a sending
mail server, after looking this up, Microsoft have a wizard to create
the SPF record with SenderID, however this creates a standard SPF v 1.0
record as does the OpenSPF wizard. I have read however that SenderID is
specifically done by using SPF 2.0 beginning with with the syntax....
spf2.0/mfrom,pra
Any help offered will be greatly appreciated.
First, there are clearly some oddities about what Hotmail does that can only
be explained by Hotmail. Second, SID will use a v=spf1 record if no spf2.0
http://new.openspf.org/SPF_vs_Sender_ID
Ok, my understanding of this is that anyone wanting to use SPF to verify
mail should do SenderID verification via v=spf1 records however it
should use v=spf2.0/pra if available. As the experimental RFC states
SHOULD rather than MUST I assume that developers could potentially write
software that does not interpret records correctly I.E. only checking
v=spf1 when a v=spf2.0/pra record exists, for this reason is it
recommended that both a v=spf1 and a v=spf2.0/pra records should exist?

TIA

Phil Ewington.
Alex van den Bogaerdt
2006-10-31 13:38:05 UTC
Permalink
Post by Phil Ewington - 43 Plc
Ok, my understanding of this is that anyone wanting to use SPF to verify
mail should do SenderID verification via v=spf1 records however it
should use v=spf2.0/pra if available. As the experimental RFC states
SHOULD rather than MUST I assume that developers could potentially write
software that does not interpret records correctly I.E. only checking
v=spf1 when a v=spf2.0/pra record exists, for this reason is it
recommended that both a v=spf1 and a v=spf2.0/pra records should exist?
SPF is designed to look at RFC 821 "MAIL FROM" only.

Then Microsoft comes along, and abuses your carefully crafted record
to do its RFC822 "From:" checking.

Sometimes this fails, notably if you have a setup where your RFC822 "From:"
address is never used as sender address (RFC821) and thus has "v=spf1 -all".

The workaround suggested is to publish spf2.0 (not v=spf2.0) records for
this domain, and use it to opt-out of microsoft's senderID.

Unfortunately hotmail does not seem to pay attention to these records,
rendering the workaround useless.

In other words: they screwed up again.

Alex
Nils Ackermann
2006-10-31 17:58:35 UTC
Permalink
Post by Alex van den Bogaerdt
Post by Phil Ewington - 43 Plc
Ok, my understanding of this is that anyone wanting to use SPF to verify
mail should do SenderID verification via v=spf1 records however it
should use v=spf2.0/pra if available. As the experimental RFC states
SHOULD rather than MUST I assume that developers could potentially write
software that does not interpret records correctly I.E. only checking
v=spf1 when a v=spf2.0/pra record exists, for this reason is it
recommended that both a v=spf1 and a v=spf2.0/pra records should exist?
SPF is designed to look at RFC 821 "MAIL FROM" only.
Then Microsoft comes along, and abuses your carefully crafted record
to do its RFC822 "From:" checking.
Sometimes this fails, notably if you have a setup where your RFC822 "From:"
address is never used as sender address (RFC821) and thus has "v=spf1 -all".
The workaround suggested is to publish spf2.0 (not v=spf2.0) records for
this domain, and use it to opt-out of microsoft's senderID.
Unfortunately hotmail does not seem to pay attention to these records,
rendering the workaround useless.
In other words: they screwed up again.
I have been trying unsuccessfully to reach hotmail accounts too.
To achieve this I have set up my spf records (for ackermath.info):

"v=spf1 mx/28 -all"
"spf2.0/pra ?all"

The second follows the recommendation on new.openspf.org:

Unless you have researched and developed a PRA policy, you should
publish an empty spf2.0/pra record.

I don't know if what i have is an "empty spf2.0/pra record", but I
know I haven't "researched and developed a PRA policy". Moreover, I
am using different email clients (on different computers, but always
sending through the designated servers), and I don't trust all of them
never inserting any bogus Sender: header (gnus used to do this).

Created a test account on hotmail: email from ackermath.info is not
lost but put in the spam folder by default, with a

X-SID-PRA: Nils Ackermann <***@ackermath.info>
X-SID-Result: TempError

header (I can supply full headers and body on request). Does hotmail
consider a matching "?all", resp TempError, a sign of raised
spaminess?

Reading this list tells me that reaching hotmail accounts in a
mystery. Maybe it's just my "info" TLD (or the link to my homepage
containing this TLD in the email) that triggers the spam filter. Then
I can not do anything about it, I guess.

Do you have any other suggestions how I should form SPF and SenderID
records to help with this?

Thanks,
Nils
Steve Yates
2006-10-31 19:33:30 UTC
Permalink
Post by Nils Ackermann
Post by Alex van den Bogaerdt
Unfortunately hotmail does not seem to pay attention to these
records,
Post by Nils Ackermann
Post by Alex van den Bogaerdt
rendering the workaround useless.
"v=spf1 mx/28 -all"
"spf2.0/pra ?all"
If Alex is correct and HotMail is ignoring the Sender ID record
in favor of the SPF record, perhaps it's getting confused about the
"mx/28" syntax. Is that valid for Sender ID? My guess would be no,
even though it is for SPF, and that's where the TempError is coming
from. Or they could just be wrong. :)

- Steve Yates
- ITS, Inc.
- ERROR: ERROR: ERROR: <*SMACK*> C:\>_

~ Taglines by Taglinator - www.srtware.com ~
Scott Kitterman
2006-10-31 19:52:31 UTC
Permalink
Hotmail has a 'unique' way of operating.

I have heard that they query DNS for SPF records asynchronously from their
mail processing. All the temperror means is that your record isn't in their
local cache.

I've been recommending people away from Hotmail when I could for some time.

My controlledmail.com customers tell me that their mail sent through my
service arrives in a Hotmail inbox just fine, but the same message sent
through another provider does not (both in the SPF record).

My speculation is that they have some kind of an internal reputation system
going that either inadvertently or by design deletes mail.

Scott K
Jeff Macdonald
2006-11-01 13:55:03 UTC
Permalink
Post by Scott Kitterman
My speculation is that they have some kind of an internal reputation system
going that either inadvertently or by design deletes mail.
No need to speculate:

http://download.microsoft.com/download/e/3/3/e3397e7c-17a6-497d-9693-78f80be272fb/enhance_deliver.pdf

And yes, they are starting to use reputation if there is a SenderID
record.
--
:: Jeff Macdonald | Principal Engineer, Messaging Technologies
:: e-Dialog | ***@e-dialog.com
:: 131 Hartwell Ave. | Lexington, MA 02421
:: v: 781-372-1922 | f: 781-863-8118
:: www.e-dialog.com
Frank Ellermann
2006-11-01 09:07:48 UTC
Permalink
Post by Steve Yates
"mx/28" syntax. Is that valid for Sender ID? My guess would be no
Except from the prefix v=spf1 or spf2.0/mfrom etc. the syntax is 100%
identical, see http://en.wikipedia.org/wiki/Sender_ID

There's a subtle point about the %{h} macro (= Helo), I've no clue
what it means in the context of a pure PRA evaluation for spf2.0/pra

But otherwise it's identical. Buggy implementations could get mx/28
wrong, but that's no PRA issue, they could also get it wrong for SPF.

Frank
Loading...