Jump to content

Email from geocaching.com and SPF


LazyLeopard

Recommended Posts

My ISP has recently started using a Microsoft Exchange server in place of a previous server which actually worked. Since the change-over I've noticed that some emails sent from geocaching.com and re-directed to my ISP via an email domain re-direction service have not been getting through.

 

As far as I can tell, the problem is partly because geocaching uses a FAIL ("reject this email") SPF record like this:

 

geocaching.com TXT "v=spf1 ip4:66.150.167.155 ip4:66.150.167.157 ip4:66.150.167.158 ip4:207.32.184.190 include:_spf.google.com -all"

 

My ISP sees the "-all" (which means "reject this email"), notes that the email is coming from the re-directing service instead of from one of the listed IPs, and rejects it.

 

This is not good. I've submitted a bug report to the re-directing service, on the off-chance that there's something they should be doing but aren't. Other than that, I've no idea how else to get round it without either getting emails sent to my ISP directly (which is a work-around I've implemented for now, but would prefer not to use long-term) or by changing my ISP (which would be a pain)...

 

I note that big email-generating sites tend not to use "-all" (FAIL), but rather "~all" (SOFTFAIL) or "?all" (NEUTRAL).

Edited by LazyLeopard
Link to comment

While you can say the problem is partly because we hard fail, our configuration decision should have no ill effects in a properly configured environment. We use hard fail to deter spammers from spoofing our domains, and the false positive rate from SPF rejection is very low.

 

After reviewing your mail logs, I think you've correctly assessed the issue. However, forwarders are setup by the recipient mail host and are the responsibility of the recipient mail host. As a sender, we should not have to worry about forwarders.

 

You mentioned that your host recently provisioned a new email server. I would suspect that they've provisioned it incorrectly: For non-sender-rewriting forwarders, accept all mail without checking SPF (any SPF results are meaningless)

 

Source

Link to comment

You mentioned that your host recently provisioned a new email server. I would suspect that they've provisioned it incorrectly: For non-sender-rewriting forwarders, accept all mail without checking SPF (any SPF results are meaningless)

 

Indeed. I, personally, would consign SPF (or at least SPF FAIL) to the bit-bucket, as it causes more problems than it solves. My ISP is not following best practice, and is being stubbornly clueless about non-sender-rewriting forwarders. My forwarder won't do sender re-writing. I posted here mainly to give other folk struck by the same problem something to find...

 

Thanks for your time.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...