Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


dimsim

848 posts

Ultimate Geek

Trusted
Lifetime subscriber

#292990 18-Dec-2021 14:21
Send private message

I used to have my Exchange Server fail anything that didn't pass SPF but found I was constantly blocking email that I actually wanted.

 

I've since removed the block so I can actually receive those emails but prior to this made contact with several local businesses and helped them configure SPF correctly so I could receive their communications.

 

A big IT supplier of mine (no names mentioned) happens to think it's a great idea to send email as my domain when sending out MS licensing and just thought that this would work but without consultation and from servers outside of my SPF record. Other suppliers (IT/Networking space) that should know better have also failed in this regard and despite pointing out the glaring errors think there is nothing wrong with sending via a mail service like mailchimp but not adding the mailchimp include record to their SPF record.

 

Does anyone else see issues like this at all?


Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3
gorringS
71 posts

Master Geek


  #2835273 18-Dec-2021 14:50
Send private message

Hi you will probably find wont be spf record alone that stopping you sending emails . txt record 

 

 

 

 

@

 

   v=spf1 a mx ~all

 

 

 

 

You will also need dkim record as well . In order to generate that you need  to download this GitHub - Pro/dkim-exchange: DKIM Signing Agent for Microsoft Exchange Server




dimsim

848 posts

Ultimate Geek

Trusted
Lifetime subscriber

  #2835276 18-Dec-2021 14:56
Send private message

I'm aware of DKIM - these incoming emails are failing purely on SPF as the senders SPF qualifier set to hard fail.


BlakJak
1275 posts

Uber Geek

Trusted

  #2835278 18-Dec-2021 15:02
Send private message

dimsim:

I used to have my Exchange Server fail anything that didn't pass SPF but found I was constantly blocking email that I actually wanted.

 

I've since removed the block so I can actually receive those emails but prior to this made contact with several local businesses and helped them configure SPF correctly so I could receive their communications.

 

A big IT supplier of mine (no names mentioned) happens to think it's a great idea to send email as my domain when sending out MS licensing and just thought that this would work but without consultation and from servers outside of my SPF record. Other suppliers (IT/Networking space) that should know better have also failed in this regard and despite pointing out the glaring errors think there is nothing wrong with sending via a mail service like mailchimp but not adding the mailchimp include record to their SPF record.

 

Does anyone else see issues like this at all?

 

 

If an IT provider you're working with can't understand the prerequisites to send out email 'as you' (it's impersonation if it's done without your consent!), you need a new IT provider.

 

 

SPF has been around for years, there's not really any excuse for getting this wrong.

 

But I will say, the number of IT professionals who don't understand the difference between From: and the envelope-sender, is also surprising.

 

 

But then again we have numerous big-name organisations that can't correctly send both plaintext and HTML versions of their emails, and don't understand the mandatory headers required by RFC, and and and... in larger organisations I wouldn't be surprised to see significant siloed thinking and people who literally don't carry any expertise for anything except for their own tasking. Including, for example, being trained in the use of a tool but not really understanding what that tool does.

 

 

I think of it in a similar way to the smartphone generation who are used to easy-to-use UX at the expense of anything that might provide you with technical context, or worse, troubleshooting.

 

 

"I'm sorry, something went wrong" is not as useful as an error code that you can look up, for example.

 

Symptomatic of some of my current frustrations in the industry.

 

 

endrant




No signature to see here, move along...



gorringS
71 posts

Master Geek


  #2835280 18-Dec-2021 15:04
Send private message

Can try above spf record as I've not had any fail using that record and certainly passes  all emails in both directions .


gorringS
71 posts

Master Geek


  #2835281 18-Dec-2021 15:07
Send private message

gorringefamily.co.nz Lookup - SPF-Record which shows results of that record I shared with you


dimsim

848 posts

Ultimate Geek

Trusted
Lifetime subscriber

  #2835284 18-Dec-2021 15:15
Send private message

BlakJak:
dimsim:

 

I used to have my Exchange Server fail anything that didn't pass SPF but found I was constantly blocking email that I actually wanted.

 

I've since removed the block so I can actually receive those emails but prior to this made contact with several local businesses and helped them configure SPF correctly so I could receive their communications.

 

A big IT supplier of mine (no names mentioned) happens to think it's a great idea to send email as my domain when sending out MS licensing and just thought that this would work but without consultation and from servers outside of my SPF record. Other suppliers (IT/Networking space) that should know better have also failed in this regard and despite pointing out the glaring errors think there is nothing wrong with sending via a mail service like mailchimp but not adding the mailchimp include record to their SPF record.

 

Does anyone else see issues like this at all?

 

If an IT provider you're working with can't understand the prerequisites to send out email 'as you' (it's impersonation if it's done without your consent!), you need a new IT provider. SPF has been around for years, there's not really any excuse for getting this wrong. But I will say, the number of IT professionals who don't understand the difference between From: and the envelope-sender, is also surprising. But then again we have numerous big-name organisations that can't correctly send both plaintext and HTML versions of their emails, and don't understand the mandatory headers required by RFC, and and and... in larger organisations I wouldn't be surprised to see significant siloed thinking and people who literally don't carry any expertise for anything except for their own tasking. Including, for example, being trained in the use of a tool but not really understanding what that tool does. I think of it in a similar way to the smartphone generation who are used to easy-to-use UX at the expense of anything that might provide you with technical context, or worse, troubleshooting. "I'm sorry, something went wrong" is not as useful as an error code that you can look up, for example. Symptomatic of some of my current frustrations in the industry. endrant

 

Agree, but the problem lies with the senders understanding of SPF and to clarify, the problems I've discovered are related to the internal IT workers or responsible admins for that organisation's mail/dns systems. Generally they will have a SPF record that covers their own servers/mx/hosts sending, but they negate to include external organisations who are sending mail on their behalf with the From address at @theirdomain for which they have a SPF record configured with a hard fail qualifier.


dimsim

848 posts

Ultimate Geek

Trusted
Lifetime subscriber

  #2835285 18-Dec-2021 15:16
Send private message

gorringS:

 

gorringefamily.co.nz Lookup - SPF-Record which shows results of that record I shared with you

 

 

Thanks, I'm fully aware of SPF and how it is configured, but the problem here is related to the senders possibly limited understanding of SPF.


 
 
 

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.
gorringS
71 posts

Master Geek


  #2835289 18-Dec-2021 15:24
Send private message

they bunch idiots if 3rd party you referring to has hard fail set or misconfigured spf record they certainly wont get much in way  emails from anyone.


BlakJak
1275 posts

Uber Geek

Trusted

  #2835294 18-Dec-2021 15:58
Send private message

dimsim:

 

Agree, but the problem lies with the senders understanding of SPF and to clarify, the problems I've discovered are related to the internal IT workers or responsible admins for that organisation's mail/dns systems. Generally they will have a SPF record that covers their own servers/mx/hosts sending, but they negate to include external organisations who are sending mail on their behalf with the From address at @theirdomain for which they have a SPF record configured with a hard fail qualifier.

 

 

I'll just spell out again. If you own a domain and have email arranged for it and have explicitly set an SPF record with a hardfail, you're making it very clear other places cannot and should not send email on your behalf.

 

 

External organisations that send email on your behalf are either:

 

- Doing it with your consent, so you can talk to them about required changes to SPF to enable this, OR

 

- Doing it without your consent, so SPF is working exactly as designed.

 

 

It's one or the other. If your IT vendor/provider isn't working with you to cover off why they could possibly want to send email on behalf of your domain beforehand, they're incompetent, because IT vendors should 'just know' this stuff.

 

 

And for the record, there aren't many cases where a third party or cloud service needs to send email using your corporate/primary domain name. You can configure subdomains or alternate domains to suit the purpose. Or let them send using their own domain, and configure a Reply-To: header if you need to capture responses.

 

When selecting an arrangement for this you need to also consider backscatter (bounce errors), something else people fail to think about often.

 

 

Across my career i've found a variety of supposedly smart IT and IT-related vendors surprisingly hit-and-miss on doing this well.




No signature to see here, move along...

xpd

xpd
Geek @ Coastguard NZ
13765 posts

Uber Geek

Retired Mod
ID Verified
Trusted
Lifetime subscriber

  #2835300 18-Dec-2021 16:45
Send private message

I've had SPF running for a while now, mainly because sending ANY emails to anyone @xtra was a massive fail :D Was a bit of fiddling but got there. Only just this week set up DKIM, but cheated, cPanel tells you step by step what you need :D

 

 





       Gavin / xpd / FastRaccoon / Geek of Coastguard New Zealand

 

                      LinkTree

 

 

 


dimsim

848 posts

Ultimate Geek

Trusted
Lifetime subscriber

  #2835301 18-Dec-2021 16:52
Send private message

gorringS:

 

they bunch idiots if 3rd party you referring to has hard fail set or misconfigured spf record they certainly wont get much in way  emails from anyone.

 

 

 

 

Poor SPF configuration won't affect the 3rd party you're referring to RECEIVING email... it will simply hinder the delivery of email FROM that 3rd party e.g the message being junked due to a soft/hard qualifier or Failed if the receiving server admin has a policy to do that.


dimsim

848 posts

Ultimate Geek

Trusted
Lifetime subscriber

  #2835302 18-Dec-2021 17:08
Send private message

BlakJak:
dimsim:

 

Agree, but the problem lies with the senders understanding of SPF and to clarify, the problems I've discovered are related to the internal IT workers or responsible admins for that organisation's mail/dns systems. Generally they will have a SPF record that covers their own servers/mx/hosts sending, but they negate to include external organisations who are sending mail on their behalf with the From address at @theirdomain for which they have a SPF record configured with a hard fail qualifier.

 

I'll just spell out again. If you own a domain and have email arranged for it and have explicitly set an SPF record with a hardfail, you're making it very clear other places cannot and should not send email on your behalf. External organisations that send email on your behalf are either: - Doing it with your consent, so you can talk to them about required changes to SPF to enable this, OR - Doing it without your consent, so SPF is working exactly as designed. It's one or the other. If your IT vendor/provider isn't working with you to cover off why they could possibly want to send email on behalf of your domain beforehand, they're incompetent, because IT vendors should 'just know' this stuff. And for the record, there aren't many cases where a third party or cloud service needs to send email using your corporate/primary domain name. You can configure subdomains or alternate domains to suit the purpose. Or let them send using their own domain, and configure a Reply-To: header if you need to capture responses. When selecting an arrangement for this you need to also consider backscatter (bounce errors), something else people fail to think about often. Across my career i've found a variety of supposedly smart IT and IT-related vendors surprisingly hit-and-miss on doing this well.

 

 

 

Hey look, I completely agree with what you're saying and understand. It is not me that has a misunderstanding of SPF (or need help with it, I've been administering Exchange since v5) - it is the various IT admins for organizations that I receive email from. I've only noticed this because I had my Exchange Server set to Fail any incoming message that failed SPF and thought I'd ask others here if they'd had the same experience.

 

In answer to my original question - i think the posts here make it quite clear that we agree that some organisations and the people responsible for managing their email systems have a mis EDIT: poor understanding of SPF


  #2835303 18-Dec-2021 17:17
Send private message

No, not a lot of people understand SPF/DKIM/DMARC and their impact on mail delivery, further complicated by shadow IT and bulk email services, and let's not forget 3rd party vendors.


leaplae
218 posts

Master Geek

ID Verified

  #2835305 18-Dec-2021 17:36
Send private message

I've set up SPF/DKIM/DMARC for many companies and organisations. The largest blocker to fully implementing DMARC on a domain is all the SaaS services that don't support DKIM, and don't let you change the mail servers they send out from to your own... Questioning when this feature will be made available is usually 'you're the first to ask' or 'its on our roadmap, but not a priority'.


dimsim

848 posts

Ultimate Geek

Trusted
Lifetime subscriber

  #2835308 18-Dec-2021 17:46
Send private message

leaplae:

 

I've set up SPF/DKIM/DMARC for many companies and organisations. The largest blocker to fully implementing DMARC on a domain is all the SaaS services that don't support DKIM, and don't let you change the mail servers they send out from to your own... Questioning when this feature will be made available is usually 'you're the first to ask' or 'its on our roadmap, but not a priority'.

 

 

 

 

I know we use 365, Sugar, AWS and they all support DKIM but did a quick google and one noticeable exclusion was Oracle Fusion.

 

What are some examples of the SaaS products you've come across that dont support DKIM? This may be helpful to the community.


 1 | 2 | 3
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00


eero Pro 7 Review
Posted 23-Jul-2025 12:07


BeeStation Plus Review
Posted 21-Jul-2025 14:21


eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01


WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32


RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26


Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24


Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05


Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01


Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01


Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22


Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46


Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42


D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34


Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.