Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


538 posts

Ultimate Geek
+1 received by user: 42

Trusted
Lifetime subscriber

Topic # 201914 9-Sep-2016 11:58
Send private message

Having some issues with email sent via Amazon SES failing SPF and being rejected by my Exchange Server.

 

The From address is @<senderdomain> and the return path is @..amazonses.com

 

The Amazon documentation says nothing needs to be done to SPF with this configuration as the return path will get checked for SPF and will pass as the sending server will be within the AMazon SPF records.

 

I think where it is failing is that the FROM address (@<senderdomain>) also has an SPF record and Exchange is checking that first, finds an SPF which doesnt include Amazon and subsequently fails the message.

 

Has anyone encountered this or know the acutal process exchange uses to validate SPF e.g FROM address then Return-Path address?

 

My guess is that if you have gone to the trouble of creating an SPF record for your domain then ALL hosts that send mail should be listed in that record.


Create new topic
14138 posts

Uber Geek
+1 received by user: 2545

Trusted
Subscriber

  Reply # 1626460 9-Sep-2016 12:01
Send private message

Are you sure the from SPF is correctly marking the Amazon IP/domain as an authorised sender? Paste in some headers. If you want to share the details, here or by PM, I can poke about and have a look tonight.

 

I set up SPF and DKIM for all my domains, and I've just started with dmark.





AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer




538 posts

Ultimate Geek
+1 received by user: 42

Trusted
Lifetime subscriber

  Reply # 1626463 9-Sep-2016 12:08
Send private message

timmmay:

 

Are you sure the from SPF is correctly marking the Amazon IP/domain as an authorised sender? Paste in some headers. If you want to share the details, here or by PM, I can poke about and have a look tonight.

 

I set up SPF and DKIM for all my domains, and I've just started with dmark.

 

 

 

 

The FROM SPF doesnt mention Amazon at all, which is my point. See below.

 

 

The sending servers are in the 54.240.27.xxx range. which are Amazon's

 

 


14138 posts

Uber Geek
+1 received by user: 2545

Trusted
Subscriber

  Reply # 1626466 9-Sep-2016 12:12
Send private message

Well there's your problem. Follow the instructions on this page to add appropriate TXT SPF records and it should resolve once the DNS cache refreshes (also known as DNS propagation).





AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


2522 posts

Uber Geek
+1 received by user: 937

Subscriber

  Reply # 1626482 9-Sep-2016 12:24
Send private message

I believe difference is that Sender ID validates the sender address, whereas the SPF standard validates the MAIL FROM domain header in the envelope. As such, Sender ID performs more checks than the SPF standard framework, but uses SPF records to do it, resulting in issues requiring both the MAIL FROM domain and the senders domain to include:amazonses.com in their SPF records. 





Windows 7 x64 // i5-3570K // 16GB DDR3-1600 // GTX660Ti 2GB // Samsung 830 120GB SSD // OCZ Agility4 120GB SSD // Samsung U28D590D @ 3840x2160 & Asus PB278Q @ 2560x1440
Samsung Galaxy S5 SM-G900I w/Spark

674 posts

Ultimate Geek
+1 received by user: 112


  Reply # 1626501 9-Sep-2016 12:33
Send private message

dimsim:

 

timmmay:

 

Are you sure the from SPF is correctly marking the Amazon IP/domain as an authorised sender? Paste in some headers. If you want to share the details, here or by PM, I can poke about and have a look tonight.

 

I set up SPF and DKIM for all my domains, and I've just started with dmark.

 

 

 

 

The FROM SPF doesnt mention Amazon at all, which is my point. See below.

 

 

The sending servers are in the 54.240.27.xxx range. which are Amazon's

 

 

 

 

The from domain will NEED to have Amazon's ip's in a SPF record. SPF is all about validating where the mail came from, rather than the reply to address (by my understanding).




538 posts

Ultimate Geek
+1 received by user: 42

Trusted
Lifetime subscriber

  Reply # 1626503 9-Sep-2016 12:37
Send private message

timmmay:

 

Well there's your problem. Follow the instructions on this page to add appropriate TXT SPF records and it should resolve once the DNS cache refreshes (also known as DNS propagation).

 

 

 

 

That's what I thought, but despite multiple attempts to inform them of this problem, this rather large online store doesn't want to listen, hence their marketing emails constantly get rejected.

 

I would have thought that Amazon SNS notifications would be notifying them of these constant rejections? Is that what happens when the Return-Path is @...amazonses.com


14138 posts

Uber Geek
+1 received by user: 2545

Trusted
Subscriber

  Reply # 1626511 9-Sep-2016 12:43
Send private message

I think emails that don't pass SPF are dropped, therefore no notification is possible. The domain after the @ needs to set up the SPF record - so if it's from bob@bob.com then the DNS for bob.com has to publish a TXT SPF record that specifies AWS SES as an allowed sender.

 

I think marketing emails being dropped is a good thing for the internet...





AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


Go Hawks!
881 posts

Ultimate Geek
+1 received by user: 51

Trusted
Subscriber

  Reply # 1627152 10-Sep-2016 19:31
Send private message

timmmay:

 

I think emails that don't pass SPF are dropped, therefore no notification is possible. The domain after the @ needs to set up the SPF record - so if it's from bob@bob.com then the DNS for bob.com has to publish a TXT SPF record that specifies AWS SES as an allowed sender.

 

I think marketing emails being dropped is a good thing for the internet...

 

 

Emails that dont pass SPF will be handled as per the receiving email servers setup.

 

Some servers may bounce the email, some may tag for analysis by a spam filter, some may just drop the email on the floor.


14138 posts

Uber Geek
+1 received by user: 2545

Trusted
Subscriber

  Reply # 1627184 10-Sep-2016 21:24
One person supports this post
Send private message

True, but the key point there is there's no reliable notification that can be given to the sender. Actually, nothing about email is reliable.





AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


34 posts

Geek
+1 received by user: 2


  Reply # 1627246 11-Sep-2016 07:56
Send private message

This is where having setup DMARC is helpful.

 

 

 

You'll receive a report listing all the servers that sent email on behalf of your domain, and what their SPF and DKIM status was.

 

 

 

I've used it when a customer has a website that sends mail directly for example. I saw the IP in the dmarc report and realised what was happening (ie it hadn't been realised that the website did that) so added the IP to the SPF record.

 

 

 

I use the services at https://www.dmarcian.com/login/?next=/mcontrol/


Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.