Exchange Server SPF Priorities (Sender Id Agent) & Amazon SES

Forums › IT Pro and developers › Exchange Server SPF Priorities (Sender Id Agent) & Amazon SES

dimsim

867 posts

Ultimate Geek
+1 received by user: 151

Trusted

Lifetime subscriber

#201914 9-Sep-2016 11:58

Having some issues with email sent via Amazon SES failing SPF and being rejected by my Exchange Server.

The From address is @<senderdomain> and the return path is @..amazonses.com

The Amazon documentation says nothing needs to be done to SPF with this configuration as the return path will get checked for SPF and will pass as the sending server will be within the AMazon SPF records.

I think where it is failing is that the FROM address (@<senderdomain>) also has an SPF record and Exchange is checking that first, finds an SPF which doesnt include Amazon and subsequently fails the message.

Has anyone encountered this or know the acutal process exchange uses to validate SPF e.g FROM address then Return-Path address?

My guess is that if you have gone to the trouble of creating an SPF record for your domain then ALL hosts that send mail should be listed in that record.

timmmay

20858 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#1626460 9-Sep-2016 12:01

Are you sure the from SPF is correctly marking the Amazon IP/domain as an authorised sender? Paste in some headers. If you want to share the details, here or by PM, I can poke about and have a look tonight.

I set up SPF and DKIM for all my domains, and I've just started with dmark.

dimsim

867 posts

Ultimate Geek
+1 received by user: 151

Trusted

Lifetime subscriber

#1626463 9-Sep-2016 12:08

timmmay:

Are you sure the from SPF is correctly marking the Amazon IP/domain as an authorised sender? Paste in some headers. If you want to share the details, here or by PM, I can poke about and have a look tonight.

I set up SPF and DKIM for all my domains, and I've just started with dmark.

The FROM SPF doesnt mention Amazon at all, which is my point. See below.

The sending servers are in the 54.240.27.xxx range. which are Amazon's

timmmay

20858 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#1626466 9-Sep-2016 12:12

Well there's your problem. Follow the instructions on this page to add appropriate TXT SPF records and it should resolve once the DNS cache refreshes (also known as DNS propagation).

Inphinity

2780 posts

Uber Geek
+1 received by user: 1184

#1626482 9-Sep-2016 12:24

I believe difference is that Sender ID validates the sender address, whereas the SPF standard validates the MAIL FROM domain header in the envelope. As such, Sender ID performs more checks than the SPF standard framework, but uses SPF records to do it, resulting in issues requiring both the MAIL FROM domain and the senders domain to include:amazonses.com in their SPF records.

ArcticSilver

731 posts

Ultimate Geek
+1 received by user: 148

#1626501 9-Sep-2016 12:33

dimsim:

timmmay:

Are you sure the from SPF is correctly marking the Amazon IP/domain as an authorised sender? Paste in some headers. If you want to share the details, here or by PM, I can poke about and have a look tonight.

I set up SPF and DKIM for all my domains, and I've just started with dmark.

The FROM SPF doesnt mention Amazon at all, which is my point. See below.

The sending servers are in the 54.240.27.xxx range. which are Amazon's

The from domain will NEED to have Amazon's ip's in a SPF record. SPF is all about validating where the mail came from, rather than the reply to address (by my understanding).

dimsim

867 posts

Ultimate Geek
+1 received by user: 151

Trusted

Lifetime subscriber

#1626503 9-Sep-2016 12:37

timmmay:

Well there's your problem. Follow the instructions on this page to add appropriate TXT SPF records and it should resolve once the DNS cache refreshes (also known as DNS propagation).

That's what I thought, but despite multiple attempts to inform them of this problem, this rather large online store doesn't want to listen, hence their marketing emails constantly get rejected.

I would have thought that Amazon SNS notifications would be notifying them of these constant rejections? Is that what happens when the Return-Path is @...amazonses.com

Lego

Shop now for Lego sets and other gifts (affiliate link).

timmmay

20858 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#1626511 9-Sep-2016 12:43

I think emails that don't pass SPF are dropped, therefore no notification is possible. The domain after the @ needs to set up the SPF record - so if it's from bob@bob.com then the DNS for bob.com has to publish a TXT SPF record that specifies AWS SES as an allowed sender.

I think marketing emails being dropped is a good thing for the internet...

wazzageek

1095 posts

Uber Geek
+1 received by user: 108

ID Verified

Trusted

Lifetime subscriber

#1627152 10-Sep-2016 19:31

timmmay:

I think emails that don't pass SPF are dropped, therefore no notification is possible. The domain after the @ needs to set up the SPF record - so if it's from bob@bob.com then the DNS for bob.com has to publish a TXT SPF record that specifies AWS SES as an allowed sender.

I think marketing emails being dropped is a good thing for the internet...

Emails that dont pass SPF will be handled as per the receiving email servers setup.

Some servers may bounce the email, some may tag for analysis by a spam filter, some may just drop the email on the floor.

timmmay

20858 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#1627184 10-Sep-2016 21:24

True, but the key point there is there's no reliable notification that can be given to the sender. Actually, nothing about email is reliable.

Bugzptr

43 posts

Geek
+1 received by user: 5

ID Verified

Lifetime subscriber

#1627246 11-Sep-2016 07:56

This is where having setup DMARC is helpful.

You'll receive a report listing all the servers that sent email on behalf of your domain, and what their SPF and DKIM status was.

I've used it when a customer has a website that sends mail directly for example. I saw the IP in the dmarc report and realised what was happening (ie it hadn't been realised that the website did that) so added the IP to the SPF record.

I use the services at https://www.dmarcian.com/login/?next=/mcontrol/