Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


Paul1977

5039 posts

Uber Geek


#208574 17-Feb-2017 15:24
Send private message

We have had a couple NDRs over the last week or so based on Xtra's SPF policy.

 

We have an SPF record locked down to our mail servers IP address.

 

However, when we send an email to an address which is then redirected to an Xtra address we get an NDR - presumably because it is looking at the forwarding servers IP address rather than ours.

 

E.g. user@fakedomain.co.nz is forwarding to fakedomain@xtra.co.nz. If I send a message to user@fakedomain.co.nz it bounces back saying it was rejected by mx.xtra.co.nz based on SPF policy. Sending directly to fakedomain@xtra.co.nz is fine.

 

Mail forwarding of this nature is not uncommon, nor is having an SPF record. Surely this isn't expected behaviour by the Xtra servers?


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
michaelmurfy
meow
13240 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #1721891 17-Feb-2017 15:47
Send private message

I had the same problem with my domain.

 

In the end I set SPF to Softfail (~all instead of -all) along with using DKIM and also DMARC set to strict mode. This means that whilst SPF may go through with Neutral or Fail as long as DKIM passes the email should go through fine without hitting spam. I often get the following with email being sent from my Google account:

 

SPF: NEUTRAL with IP 43.228.*.*
DKIM: PASS with domain murfy.nz
DMARC: PASS





Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.




Dairyxox
1594 posts

Uber Geek


  #1721892 17-Feb-2017 15:49
Send private message

I'm seeing similar stuff...

 

Has your reply got this in the body?

 

 

 

 

...snip

 

MailEnable: Message could not be delivered to some recipients.

 

The following recipient(s) could not be reached:

 

 

 

                Recipient: [SMTP:someone@xtra.co.nz]

 

                Reason: 550 5.7.1 Message rejected due to SPF policy

 

 

 

 

 

Message contents follow:

 

.../snip

 


Paul1977

5039 posts

Uber Geek


  #1721900 17-Feb-2017 16:02
Send private message

Dairyxox:

 

I'm seeing similar stuff...

 

Has your reply got this in the body?

 

 

 

 

...snip

 

MailEnable: Message could not be delivered to some recipients.

 

The following recipient(s) could not be reached:

 

 

 

                Recipient: [SMTP:someone@xtra.co.nz]

 

                Reason: 550 5.7.1 Message rejected due to SPF policy

 

 

 

 

 

Message contents follow:

 

.../snip

 

 

 

Yep, that's the one.

 

EDIT: Not exactly the same as that, but they have the same important part 550 5.7.1 Message rejected due to SPF policy. And on the ones I have the headers clearly show that the rejecting server is mx.xtra.co.nz.




Paul1977

5039 posts

Uber Geek


  #1721904 17-Feb-2017 16:10
Send private message

michaelmurfy:

 

I had the same problem with my domain.

 

In the end I set SPF to Softfail (~all instead of -all) along with using DKIM and also DMARC set to strict mode. This means that whilst SPF may go through with Neutral or Fail as long as DKIM passes the email should go through fine without hitting spam. I often get the following with email being sent from my Google account:

 

SPF: NEUTRAL with IP 43.228.*.*
DKIM: PASS with domain murfy.nz
DMARC: PASS

 

 

Maybe I'm being ignorant, but what is the point of having an SPF at all if it is set to softfail?

 

EDIT: I guess to stop it being flagged as spam because it doesn't have an SPF at all?


michaelmurfy
meow
13240 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #1721933 17-Feb-2017 16:44
Send private message

Paul1977:

 

 

 

Maybe I'm being ignorant, but what is the point of having an SPF at all if it is set to softfail?

 

EDIT: I guess to stop it being flagged as spam because it doesn't have an SPF at all?

 

 

Prevents email from being flagged as spam mainly. Google and some other providers also refuses to work correctly with SPF even if you "allow" it so having strict SPF will cause most emails to bounce (had that issue - was terrible). Having DKIM and DMARC helps prevent unauthorized senders further even if SPF is set to softfail.

 

SPF accept + DKIM accept = Email accepted.
SPF Neutral + DKIM accept = Email accepted.
SPF Neutral / Fail + DKIM fail = DMARC fail, email bounced (assuming email server knows about DMARC) and report sent to my domain.





Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.


Paul1977

5039 posts

Uber Geek


  #1721939 17-Feb-2017 17:04
Send private message

michaelmurfy:

 

Paul1977:

 

 Maybe I'm being ignorant, but what is the point of having an SPF at all if it is set to softfail?

 

EDIT: I guess to stop it being flagged as spam because it doesn't have an SPF at all?

 

 

Prevents email from being flagged as spam mainly. Google and some other providers also refuses to work correctly with SPF even if you "allow" it so having strict SPF will cause most emails to bounce (had that issue - was terrible). Having DKIM and DMARC helps prevent unauthorized senders further even if SPF is set to softfail.

 

SPF accept + DKIM accept = Email accepted.
SPF Neutral + DKIM accept = Email accepted.
SPF Neutral / Fail + DKIM fail = DMARC fail, email bounced (assuming email server knows about DMARC) and report sent to my domain.

 

 

We currently don't have DKIM setup because, while the vast bulk of our emails are sent from our own Exchange server, we have some emails sent from a third party cloud provider that we have no control over (they are sent with our domain name and we have added their IP to the SPF).

 

If we changed SPF to softfail and setup DKIM and DEMARC then any emails from the third party provider would have SPF accept + DKIM fail. Would that be DEMARC accept or DEMARC fail? What would SPF accept + DKIM fail mean for a recipient server that doesn't understand DEMARC?

 

EDIT: Corrected error (typed DKIM when I meant DEMARC)


hio77
12999 posts

Uber Geek

ID Verified
Trusted
Lizard Networks

  #1721940 17-Feb-2017 17:06
Send private message

Please contact Bussines broadband (126 / 0800 Business) to have this logged.

 

 

 

That is the only way this will be resolved.

 

for those few of you technically capable, PM me and i could possibly follow up directly to make less of a effort to get to resolution.





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

 

 


 
 
 

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.
nunz
1421 posts

Uber Geek
Inactive user


  #1725865 24-Feb-2017 19:45
Send private message

hio77:

 

Please contact Bussines broadband (126 / 0800 Business) to have this logged.

 

 

 

That is the only way this will be resolved.

 

for those few of you technically capable, PM me and i could possibly follow up directly to make less of a effort to get to resolution.

 

 

 

 

Ha ha ha he he he bonk!!!!!

 

 

 

We have one client who is getting hit in so many ways and getting the run around. I could easily rack up 20 hours plus per week dealing with this on the phone. The best option is to use yahoo directly using the "wrong" settings. This works and maybe will fail when smx / xtra  / spark finally get this mess completed but up until now is the best way to get consistent mail working.

 

 

 

SPF Record failed: http://www.geekzone.co.nz/forums.asp?forumid=39&topicid=208517

 

Now getting bounced by yahoo.co.uk as a spam sender , despite going through xtra email system and they have a clean black list.

 

Also the new mail portal failing: https://www.spark.co.nz/myspark/   doesn't take legit email address and password.

 

SMX's draconian regime for dumping spam is ridiculously hard on people who have "road warriors" or really anyone who wants to send email. One 23 page PDf was dumped as there was a link to a legitimate article on a website that had a page( one out of thousands)  that was once used in a mail out campaign for some medical product - yet the page linked had none of that and again, 120 plus black lists didn't think their reputation was an issue.  We had to encrypt the content to get it sent to the publisher / printer.

 

 

 

 


richms
28168 posts

Uber Geek

Trusted
Lifetime subscriber

  #1725872 24-Feb-2017 19:51
Send private message

If people are going to bounce mails on to another provider than this is the expected behaviour.

 

Forward it instead so that it is coming from the correct sender for the server that is connecting to xtra.

 

I have had this with other providers in the past when I have had to deal with PITA self hosting idiots that decided that sending the company mail on to their staffs ISP address was a good idea. Some of them used an ISP in aussie that had proper rejection of SPF fails rather than dumping them in the spam folder and this happened.

 

Expected me to change the SPF record for a domain that daily mail outs were sent from inorder to accomodate their absurd configuration on their server. I told them just to subscribe the peoples ISP addresses instead.





Richard rich.ms

hio77
12999 posts

Uber Geek

ID Verified
Trusted
Lizard Networks

  #1725884 24-Feb-2017 20:12
Send private message

nunz:

 

 

 

Ha ha ha he he he bonk!!!!!

 

 

 

We have one client who is getting hit in so many ways and getting the run around. I could easily rack up 20 hours plus per week dealing with this on the phone. The best option is to use yahoo directly using the "wrong" settings. This works and maybe will fail when smx / xtra  / spark finally get this mess completed but up until now is the best way to get consistent mail working.

 

 

 

 

 

If the client has already raised this case, i'd certainly love to follow up it and get to the bottom without the run around going on any further.





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

 

 


nunz
1421 posts

Uber Geek
Inactive user


  #1726167 25-Feb-2017 16:35
Send private message

michaelmurfy:

 

I had the same problem with my domain.

 

In the end I set SPF to Softfail (~all instead of -all) along with using DKIM and also DMARC set to strict mode. This means that whilst SPF may go through with Neutral or Fail as long as DKIM passes the email should go through fine without hitting spam. I often get the following with email being sent from my Google account:

 

SPF: NEUTRAL with IP 43.228.*.*
DKIM: PASS with domain murfy.nz
DMARC: PASS

 

 

+1

 

Same with us. Less secure now.


nunz
1421 posts

Uber Geek
Inactive user


  #1726175 25-Feb-2017 16:47
Send private message

hio77:

 

nunz:

 

 

 

Ha ha ha he he he bonk!!!!!

 

 

 

We have one client who is getting hit in so many ways and getting the run around. I could easily rack up 20 hours plus per week dealing with this on the phone. The best option is to use yahoo directly using the "wrong" settings. This works and maybe will fail when smx / xtra  / spark finally get this mess completed but up until now is the best way to get consistent mail working.

 

 

 

 

 

If the client has already raised this case, i'd certainly love to follow up it and get to the bottom without the run around going on any further.

 

 

 

 

it has been escalated multiple times. it has been escalated to yahoo.

 

it has been escalated to SMX.

 

it has been raised with yahoo  / spark.

 

After 2 hours , zero minutes and zero seconds , on phone waiting in queue, yesterday I got dumped - methinks they are now dumping calls in their queues.

 

We've set them up a new mail server, set up new records and am popping ( when it doesn't get borked up again,)  mail from xtra into the new mail server. we mostly pop and imap exisiting mail using the wrong settings (ie yahoo mail settings direct) except yesteraday they couldn't even log onto the webmail as again some nerf herding frack artist had stuffed things up even for webmail.

 

anyone else enjoying logging in 3 or 4 times and getting multiple redirects around the block after going to the official web mail log in URL for xtra - webmail.xtra.co.nz  - bloody shambles.

 

Just when I thought there was nothing more they could do to make me think less of their technical expertise(sic)

 

 

 

 

 

 

 

 


bigalow
566 posts

Ultimate Geek


  #1726220 25-Feb-2017 19:00
Send private message

there is a problem i saw the other day

 

https://list.waikato.ac.nz/pipermail/nznog/2017-February/date.html


tdgeek
29740 posts

Uber Geek

Trusted
Lifetime subscriber

  #1726225 25-Feb-2017 19:14
Send private message

nunz:

 

hio77:

 

nunz:

 

 

 

Ha ha ha he he he bonk!!!!!

 

 

 

We have one client who is getting hit in so many ways and getting the run around. I could easily rack up 20 hours plus per week dealing with this on the phone. The best option is to use yahoo directly using the "wrong" settings. This works and maybe will fail when smx / xtra  / spark finally get this mess completed but up until now is the best way to get consistent mail working.

 

 

 

 

 

If the client has already raised this case, i'd certainly love to follow up it and get to the bottom without the run around going on any further.

 

 

 

 

it has been escalated multiple times. it has been escalated to yahoo.

 

it has been escalated to SMX.

 

it has been raised with yahoo  / spark.

 

After 2 hours , zero minutes and zero seconds , on phone waiting in queue, yesterday I got dumped - methinks they are now dumping calls in their queues.

 

We've set them up a new mail server, set up new records and am popping ( when it doesn't get borked up again,)  mail from xtra into the new mail server. we mostly pop and imap exisiting mail using the wrong settings (ie yahoo mail settings direct) except yesteraday they couldn't even log onto the webmail as again some nerf herding frack artist had stuffed things up even for webmail.

 

anyone else enjoying logging in 3 or 4 times and getting multiple redirects around the block after going to the official web mail log in URL for xtra - webmail.xtra.co.nz  - bloody shambles.

 

Just when I thought there was nothing more they could do to make me think less of their technical expertise(sic)

 

 

 

 

 

 

 

 

 

 

I'm sure if you PM'ed Hio77 with the ticket numbers for each of escalations to Yahoo, SMX and Spark, they can be looked into


hio77
12999 posts

Uber Geek

ID Verified
Trusted
Lizard Networks

  #1726656 26-Feb-2017 20:17
Send private message

tdgeek:

 

 

 

I'm sure if you PM'ed Hio77 with the ticket numbers for each of escalations to Yahoo, SMX and Spark, they can be looked into

 

 

Soapboxing seems more important here.. have offered this multiple times :/

 

 

 

Personally I have seen one case of SPF issues pass my desk, and it was followed up directly with someone to look into it instantly. A response was back to the client within the day.

 

biggal:

 

there is a problem i saw the other day

 

https://list.waikato.ac.nz/pipermail/nznog/2017-February/date.html

 

 

This nznog post died down pretty fast when i responded reminding people to report it so it can actually be looked at.

 

 

 

 





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

 

 


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00


eero Pro 7 Review
Posted 23-Jul-2025 12:07


BeeStation Plus Review
Posted 21-Jul-2025 14:21


eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01


WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32


RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26


Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24


Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05


Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01


Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01


Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22


Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46


Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42


D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34


Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.