Mail Redirection To Xtra and SPF

Forums › Spark New Zealand (including Skinny and BigPipe) › Mail Redirection To Xtra and SPF

Paul1977

3132 posts

Uber Geek

#208574 17-Feb-2017 15:24

We have had a couple NDRs over the last week or so based on Xtra's SPF policy.

We have an SPF record locked down to our mail servers IP address.

However, when we send an email to an address which is then redirected to an Xtra address we get an NDR - presumably because it is looking at the forwarding servers IP address rather than ours.

E.g. user@fakedomain.co.nz is forwarding to fakedomain@xtra.co.nz. If I send a message to user@fakedomain.co.nz it bounces back saying it was rejected by mx.xtra.co.nz based on SPF policy. Sending directly to fakedomain@xtra.co.nz is fine.

Mail forwarding of this nature is not uncommon, nor is having an SPF record. Surely this isn't expected behaviour by the Xtra servers?

1 | 2

/dev/null
9302 posts

Uber Geek

Moderator

Trusted

Lifetime subscriber

#1721891 17-Feb-2017 15:47

I had the same problem with my domain.

In the end I set SPF to Softfail (~all instead of -all) along with using DKIM and also DMARC set to strict mode. This means that whilst SPF may go through with Neutral or Fail as long as DKIM passes the email should go through fine without hitting spam. I often get the following with email being sent from my Google account:

SPF: NEUTRAL with IP 43.228.*.*
DKIM: PASS with domain murfy.nz
DMARC: PASS

Dairyxox

1509 posts

Uber Geek

#1721892 17-Feb-2017 15:49

I'm seeing similar stuff...

Has your reply got this in the body?

...snip

MailEnable: Message could not be delivered to some recipients.

The following recipient(s) could not be reached:

Recipient: [SMTP:someone@xtra.co.nz]

Reason: 550 5.7.1 Message rejected due to SPF policy

Message contents follow:

.../snip

Paul1977

3132 posts

Uber Geek

#1721900 17-Feb-2017 16:02

Dairyxox:

I'm seeing similar stuff...

Has your reply got this in the body?

...snip

MailEnable: Message could not be delivered to some recipients.

The following recipient(s) could not be reached:

Recipient: [SMTP:someone@xtra.co.nz]

Reason: 550 5.7.1 Message rejected due to SPF policy

Message contents follow:

.../snip

Yep, that's the one.

EDIT: Not exactly the same as that, but they have the same important part 550 5.7.1 Message rejected due to SPF policy. And on the ones I have the headers clearly show that the rejecting server is mx.xtra.co.nz.

Paul1977

3132 posts

Uber Geek

#1721904 17-Feb-2017 16:10

michaelmurfy:

I had the same problem with my domain.

In the end I set SPF to Softfail (~all instead of -all) along with using DKIM and also DMARC set to strict mode. This means that whilst SPF may go through with Neutral or Fail as long as DKIM passes the email should go through fine without hitting spam. I often get the following with email being sent from my Google account:

SPF: NEUTRAL with IP 43.228.*.*
DKIM: PASS with domain murfy.nz
DMARC: PASS

Maybe I'm being ignorant, but what is the point of having an SPF at all if it is set to softfail?

EDIT: I guess to stop it being flagged as spam because it doesn't have an SPF at all?

michaelmurfy

/dev/null
9302 posts

Uber Geek

Moderator

Trusted

Lifetime subscriber

#1721933 17-Feb-2017 16:44

Paul1977:

Maybe I'm being ignorant, but what is the point of having an SPF at all if it is set to softfail?

EDIT: I guess to stop it being flagged as spam because it doesn't have an SPF at all?

Prevents email from being flagged as spam mainly. Google and some other providers also refuses to work correctly with SPF even if you "allow" it so having strict SPF will cause most emails to bounce (had that issue - was terrible). Having DKIM and DMARC helps prevent unauthorized senders further even if SPF is set to softfail.

SPF accept + DKIM accept = Email accepted.
SPF Neutral + DKIM accept = Email accepted.
SPF Neutral / Fail + DKIM fail = DMARC fail, email bounced (assuming email server knows about DMARC) and report sent to my domain.

Paul1977

3132 posts

Uber Geek

#1721939 17-Feb-2017 17:04

michaelmurfy:

Paul1977:

Maybe I'm being ignorant, but what is the point of having an SPF at all if it is set to softfail?

EDIT: I guess to stop it being flagged as spam because it doesn't have an SPF at all?

Prevents email from being flagged as spam mainly. Google and some other providers also refuses to work correctly with SPF even if you "allow" it so having strict SPF will cause most emails to bounce (had that issue - was terrible). Having DKIM and DMARC helps prevent unauthorized senders further even if SPF is set to softfail.

SPF accept + DKIM accept = Email accepted.
SPF Neutral + DKIM accept = Email accepted.
SPF Neutral / Fail + DKIM fail = DMARC fail, email bounced (assuming email server knows about DMARC) and report sent to my domain.

We currently don't have DKIM setup because, while the vast bulk of our emails are sent from our own Exchange server, we have some emails sent from a third party cloud provider that we have no control over (they are sent with our domain name and we have added their IP to the SPF).

If we changed SPF to softfail and setup DKIM and DEMARC then any emails from the third party provider would have SPF accept + DKIM fail. Would that be DEMARC accept or DEMARC fail? What would SPF accept + DKIM fail mean for a recipient server that doesn't understand DEMARC?

EDIT: Corrected error (typed DKIM when I meant DEMARC)

hio77

'That VDSL Cat'
12151 posts

Uber Geek

Trusted

Spark

Subscriber

#1721940 17-Feb-2017 17:06

Please contact Bussines broadband (126 / 0800 Business) to have this logged.

That is the only way this will be resolved.

for those few of you technically capable, PM me and i could possibly follow up directly to make less of a effort to get to resolution.

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

nunz

1423 posts

Uber Geek
Inactive user

#1725865 24-Feb-2017 19:45

hio77:

Please contact Bussines broadband (126 / 0800 Business) to have this logged.

That is the only way this will be resolved.

for those few of you technically capable, PM me and i could possibly follow up directly to make less of a effort to get to resolution.

Ha ha ha he he he bonk!!!!!

We have one client who is getting hit in so many ways and getting the run around. I could easily rack up 20 hours plus per week dealing with this on the phone. The best option is to use yahoo directly using the "wrong" settings. This works and maybe will fail when smx / xtra / spark finally get this mess completed but up until now is the best way to get consistent mail working.

SPF Record failed: http://www.geekzone.co.nz/forums.asp?forumid=39&topicid=208517

Now getting bounced by yahoo.co.uk as a spam sender , despite going through xtra email system and they have a clean black list.

Also the new mail portal failing: https://www.spark.co.nz/myspark/ doesn't take legit email address and password.

SMX's draconian regime for dumping spam is ridiculously hard on people who have "road warriors" or really anyone who wants to send email. One 23 page PDf was dumped as there was a link to a legitimate article on a website that had a page( one out of thousands) that was once used in a mail out campaign for some medical product - yet the page linked had none of that and again, 120 plus black lists didn't think their reputation was an issue. We had to encrypt the content to get it sent to the publisher / printer.

richms

23281 posts

Uber Geek

Trusted

Subscriber

#1725872 24-Feb-2017 19:51

If people are going to bounce mails on to another provider than this is the expected behaviour.

Forward it instead so that it is coming from the correct sender for the server that is connecting to xtra.

I have had this with other providers in the past when I have had to deal with PITA self hosting idiots that decided that sending the company mail on to their staffs ISP address was a good idea. Some of them used an ISP in aussie that had proper rejection of SPF fails rather than dumping them in the spam folder and this happened.

Expected me to change the SPF record for a domain that daily mail outs were sent from inorder to accomodate their absurd configuration on their server. I told them just to subscribe the peoples ISP addresses instead.

Richard rich.ms

hio77

'That VDSL Cat'
12151 posts

Uber Geek

Trusted

Spark

Subscriber

#1725884 24-Feb-2017 20:12

nunz:

Ha ha ha he he he bonk!!!!!

We have one client who is getting hit in so many ways and getting the run around. I could easily rack up 20 hours plus per week dealing with this on the phone. The best option is to use yahoo directly using the "wrong" settings. This works and maybe will fail when smx / xtra / spark finally get this mess completed but up until now is the best way to get consistent mail working.

If the client has already raised this case, i'd certainly love to follow up it and get to the bottom without the run around going on any further.

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

nunz

1423 posts

Uber Geek
Inactive user

#1726167 25-Feb-2017 16:35

michaelmurfy:

I had the same problem with my domain.

In the end I set SPF to Softfail (~all instead of -all) along with using DKIM and also DMARC set to strict mode. This means that whilst SPF may go through with Neutral or Fail as long as DKIM passes the email should go through fine without hitting spam. I often get the following with email being sent from my Google account:

SPF: NEUTRAL with IP 43.228.*.*
DKIM: PASS with domain murfy.nz
DMARC: PASS

Same with us. Less secure now.

nunz

1423 posts

Uber Geek
Inactive user

#1726175 25-Feb-2017 16:47

hio77:

nunz:

Ha ha ha he he he bonk!!!!!

We have one client who is getting hit in so many ways and getting the run around. I could easily rack up 20 hours plus per week dealing with this on the phone. The best option is to use yahoo directly using the "wrong" settings. This works and maybe will fail when smx / xtra / spark finally get this mess completed but up until now is the best way to get consistent mail working.

If the client has already raised this case, i'd certainly love to follow up it and get to the bottom without the run around going on any further.

it has been escalated multiple times. it has been escalated to yahoo.

it has been escalated to SMX.

it has been raised with yahoo / spark.

After 2 hours , zero minutes and zero seconds , on phone waiting in queue, yesterday I got dumped - methinks they are now dumping calls in their queues.

We've set them up a new mail server, set up new records and am popping ( when it doesn't get borked up again,) mail from xtra into the new mail server. we mostly pop and imap exisiting mail using the wrong settings (ie yahoo mail settings direct) except yesteraday they couldn't even log onto the webmail as again some nerf herding frack artist had stuffed things up even for webmail.

anyone else enjoying logging in 3 or 4 times and getting multiple redirects around the block after going to the official web mail log in URL for xtra - webmail.xtra.co.nz - bloody shambles.

Just when I thought there was nothing more they could do to make me think less of their technical expertise(sic)

biggal

440 posts

Ultimate Geek

#1726220 25-Feb-2017 19:00

there is a problem i saw the other day

https://list.waikato.ac.nz/pipermail/nznog/2017-February/date.html

tdgeek

20506 posts

Uber Geek

Trusted

Lifetime subscriber

#1726225 25-Feb-2017 19:14

nunz:

hio77:

nunz:

Ha ha ha he he he bonk!!!!!

We have one client who is getting hit in so many ways and getting the run around. I could easily rack up 20 hours plus per week dealing with this on the phone. The best option is to use yahoo directly using the "wrong" settings. This works and maybe will fail when smx / xtra / spark finally get this mess completed but up until now is the best way to get consistent mail working.

If the client has already raised this case, i'd certainly love to follow up it and get to the bottom without the run around going on any further.

it has been escalated multiple times. it has been escalated to yahoo.

it has been escalated to SMX.

it has been raised with yahoo / spark.

After 2 hours , zero minutes and zero seconds , on phone waiting in queue, yesterday I got dumped - methinks they are now dumping calls in their queues.

We've set them up a new mail server, set up new records and am popping ( when it doesn't get borked up again,) mail from xtra into the new mail server. we mostly pop and imap exisiting mail using the wrong settings (ie yahoo mail settings direct) except yesteraday they couldn't even log onto the webmail as again some nerf herding frack artist had stuffed things up even for webmail.

anyone else enjoying logging in 3 or 4 times and getting multiple redirects around the block after going to the official web mail log in URL for xtra - webmail.xtra.co.nz - bloody shambles.

Just when I thought there was nothing more they could do to make me think less of their technical expertise(sic)

I'm sure if you PM'ed Hio77 with the ticket numbers for each of escalations to Yahoo, SMX and Spark, they can be looked into

hio77

'That VDSL Cat'
12151 posts

Uber Geek

Trusted

Spark

Subscriber

#1726656 26-Feb-2017 20:17

tdgeek:

I'm sure if you PM'ed Hio77 with the ticket numbers for each of escalations to Yahoo, SMX and Spark, they can be looked into

Soapboxing seems more important here.. have offered this multiple times :/

Personally I have seen one case of SPF issues pass my desk, and it was followed up directly with someone to look into it instantly. A response was back to the client within the day.

biggal:

there is a problem i saw the other day

https://list.waikato.ac.nz/pipermail/nznog/2017-February/date.html

This nznog post died down pretty fast when i responded reminding people to report it so it can actually be looked at.

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

1 | 2