2

Our server has been receiving abuse reports from Hotmail, because of an auth-failure. One of our sending servers has been blacklisted and Hotmail is refusing delisting. We have investigated a lot, and maybe the error on the SPF record might be the cause. But Hotmail isn't providing any userfull feedback, apart from 'abuse reports' on another (non-blacklisted) server.

Feedback-Type: auth-failure
User-Agent: XMR/2.2
Version: 1.0
Original-Mail-From: <civibounces@sp.nl>
Arrival-Date: Tue, 29 Sep 2015 22:49:33 -0700
Message-ID: <20150930054907.CCF531814A5@dccivicrm.sp.nl>
Authentication-Results: hotmail.com; spf=permerror (sender IP is 82.94.240.218; identity alignment result is pass and alignment mode is relaxed) smtp.mailfrom=civibounces@sp.nl; dkim=none (identity alignment result is pass and alignment mode is relaxed) header.d=sp.nl; x-hmca=none header.id=ledendag@sp.nl
Source-IP: 82.94.240.218
Reported-Domain: sp.nl
DKIM-Domain: sp.nl

But when I test the SPF record (http://tools.bevhost.com/spf/), the combination appears to be valid. So I'm wondering if these are false positives by Hotmail, or if there is something else I'm overlooking.

The diagnostic tool appears to find two(?) identical SPF records:

v=spf1 ip4:82.94.240.192/27 ip4:87.213.30.192/29 a mx a:mail.sp.nl a:listserver.sp.nl a:aegir.sp.nl a:www.sp.nl a:mail1.parlement.nl a:mail2.parlement.nl ip4:164.138.29.230 ~all
SDKKR
  • 35

1 Answers1

3

I see two records, and worse, they are not identical:

;; ANSWER SECTION:
sp.nl.                  3600    IN      TXT     "v=spf1  ip4:82.94.240.192/27 ip4:87.213.30.192/29 a mx a:mail.sp.nl a:listserver.sp.nl a:aegir.sp.nl a:www.sp.nl a:mail1.parlement.nl a:mail2.parlement.nl ip4:164.138.29.230 ~all"
sp.nl.                  3600    IN      TXT     "v=spf1  ip4:82.94.240.192/27 ip4:87.213.30.192/29 a mx a:mail.sp.nl a:gazpacho.sp.nl a:listserver.sp.nl a:aegir.sp.nl a:www.sp.nl a:mail1.parlement.nl a:mail2.parlement.nl ~all"

I have highlighted the difference that I see. Given that RFC 4408 makes it fairly clear that you should only have one SPF record, I can see how two different records would confuse some receivers.

Work out what should be in your record, and make sure there's only one of it.

And while you're at it, make sure you've listed all your servers, then terminate your record with -all; ~all is completely pointless as an SPF policy, and in some cases worse than useless (some admins here consider it a sign of an actively-spammy sender).

Community
  • 1
MadHatter
  • 81,580