LazyLeopard Posted October 11, 2012 Share Posted October 11, 2012 (edited) My ISP has recently started using a Microsoft Exchange server in place of a previous server which actually worked. Since the change-over I've noticed that some emails sent from geocaching.com and re-directed to my ISP via an email domain re-direction service have not been getting through. As far as I can tell, the problem is partly because geocaching uses a FAIL ("reject this email") SPF record like this: geocaching.com TXT "v=spf1 ip4:66.150.167.155 ip4:66.150.167.157 ip4:66.150.167.158 ip4:207.32.184.190 include:_spf.google.com -all" My ISP sees the "-all" (which means "reject this email"), notes that the email is coming from the re-directing service instead of from one of the listed IPs, and rejects it. This is not good. I've submitted a bug report to the re-directing service, on the off-chance that there's something they should be doing but aren't. Other than that, I've no idea how else to get round it without either getting emails sent to my ISP directly (which is a work-around I've implemented for now, but would prefer not to use long-term) or by changing my ISP (which would be a pain)... I note that big email-generating sites tend not to use "-all" (FAIL), but rather "~all" (SOFTFAIL) or "?all" (NEUTRAL). Edited October 11, 2012 by LazyLeopard Quote Link to comment
Justin Posted October 11, 2012 Share Posted October 11, 2012 While you can say the problem is partly because we hard fail, our configuration decision should have no ill effects in a properly configured environment. We use hard fail to deter spammers from spoofing our domains, and the false positive rate from SPF rejection is very low. After reviewing your mail logs, I think you've correctly assessed the issue. However, forwarders are setup by the recipient mail host and are the responsibility of the recipient mail host. As a sender, we should not have to worry about forwarders. You mentioned that your host recently provisioned a new email server. I would suspect that they've provisioned it incorrectly: For non-sender-rewriting forwarders, accept all mail without checking SPF (any SPF results are meaningless) Source Quote Link to comment
LazyLeopard Posted October 11, 2012 Author Share Posted October 11, 2012 You mentioned that your host recently provisioned a new email server. I would suspect that they've provisioned it incorrectly: For non-sender-rewriting forwarders, accept all mail without checking SPF (any SPF results are meaningless) Indeed. I, personally, would consign SPF (or at least SPF FAIL) to the bit-bucket, as it causes more problems than it solves. My ISP is not following best practice, and is being stubbornly clueless about non-sender-rewriting forwarders. My forwarder won't do sender re-writing. I posted here mainly to give other folk struck by the same problem something to find... Thanks for your time. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.