Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsIT Pro and developersIs it me? or do a lot IT/DNS admins not know how to configure SPF correctly?
dimsim

847 posts

Ultimate Geek

Trusted
Lifetime subscriber

#292990 18-Dec-2021 14:21
Send private message

I used to have my Exchange Server fail anything that didn't pass SPF but found I was constantly blocking email that I actually wanted.

 

I've since removed the block so I can actually receive those emails but prior to this made contact with several local businesses and helped them configure SPF correctly so I could receive their communications.

 

A big IT supplier of mine (no names mentioned) happens to think it's a great idea to send email as my domain when sending out MS licensing and just thought that this would work but without consultation and from servers outside of my SPF record. Other suppliers (IT/Networking space) that should know better have also failed in this regard and despite pointing out the glaring errors think there is nothing wrong with sending via a mail service like mailchimp but not adding the mailchimp include record to their SPF record.

 

Does anyone else see issues like this at all?

Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3
gorringS
71 posts

Master Geek


  #2835273 18-Dec-2021 14:50
Send private message

Hi you will probably find wont be spf record alone that stopping you sending emails . txt record 

 

 

 

 

@

 

   v=spf1 a mx ~all

 

 

 

 

You will also need dkim record as well . In order to generate that you need  to download this GitHub - Pro/dkim-exchange: DKIM Signing Agent for Microsoft Exchange Server

 
 
 
 

Shop now for Lenovo laptops and other devices (affiliate link).
dimsim

847 posts

Ultimate Geek

Trusted
Lifetime subscriber

  #2835276 18-Dec-2021 14:56
Send private message

I'm aware of DKIM - these incoming emails are failing purely on SPF as the senders SPF qualifier set to hard fail.

BlakJak
1249 posts

Uber Geek

Trusted

  #2835278 18-Dec-2021 15:02
Send private message

dimsim:

I used to have my Exchange Server fail anything that didn't pass SPF but found I was constantly blocking email that I actually wanted.

 

I've since removed the block so I can actually receive those emails but prior to this made contact with several local businesses and helped them configure SPF correctly so I could receive their communications.

 

A big IT supplier of mine (no names mentioned) happens to think it's a great idea to send email as my domain when sending out MS licensing and just thought that this would work but without consultation and from servers outside of my SPF record. Other suppliers (IT/Networking space) that should know better have also failed in this regard and despite pointing out the glaring errors think there is nothing wrong with sending via a mail service like mailchimp but not adding the mailchimp include record to their SPF record.

 

Does anyone else see issues like this at all?

 

 

If an IT provider you're working with can't understand the prerequisites to send out email 'as you' (it's impersonation if it's done without your consent!), you need a new IT provider.

 

 

SPF has been around for years, there's not really any excuse for getting this wrong.

 

But I will say, the number of IT professionals who don't understand the difference between From: and the envelope-sender, is also surprising.

 

 

But then again we have numerous big-name organisations that can't correctly send both plaintext and HTML versions of their emails, and don't understand the mandatory headers required by RFC, and and and... in larger organisations I wouldn't be surprised to see significant siloed thinking and people who literally don't carry any expertise for anything except for their own tasking. Including, for example, being trained in the use of a tool but not really understanding what that tool does.

 

 

I think of it in a similar way to the smartphone generation who are used to easy-to-use UX at the expense of anything that might provide you with technical context, or worse, troubleshooting.

 

 

"I'm sorry, something went wrong" is not as useful as an error code that you can look up, for example.

 

Symptomatic of some of my current frustrations in the industry.

 

 

endrant




No signature to see here, move along...



gorringS
71 posts

Master Geek


  #2835280 18-Dec-2021 15:04
Send private message

Can try above spf record as I've not had any fail using that record and certainly passes  all emails in both directions .

gorringS
71 posts

Master Geek


  #2835281 18-Dec-2021 15:07
Send private message

gorringefamily.co.nz Lookup - SPF-Record which shows results of that record I shared with you

dimsim

847 posts

Ultimate Geek

Trusted
Lifetime subscriber

  #2835284 18-Dec-2021 15:15
Send private message

BlakJak:
dimsim:

 

I used to have my Exchange Server fail anything that didn't pass SPF but found I was constantly blocking email that I actually wanted.

 

I've since removed the block so I can actually receive those emails but prior to this made contact with several local businesses and helped them configure SPF correctly so I could receive their communications.

 

A big IT supplier of mine (no names mentioned) happens to think it's a great idea to send email as my domain when sending out MS licensing and just thought that this would work but without consultation and from servers outside of my SPF record. Other suppliers (IT/Networking space) that should know better have also failed in this regard and despite pointing out the glaring errors think there is nothing wrong with sending via a mail service like mailchimp but not adding the mailchimp include record to their SPF record.

 

Does anyone else see issues like this at all?

 

If an IT provider you're working with can't understand the prerequisites to send out email 'as you' (it's impersonation if it's done without your consent!), you need a new IT provider. SPF has been around for years, there's not really any excuse for getting this wrong. But I will say, the number of IT professionals who don't understand the difference between From: and the envelope-sender, is also surprising. But then again we have numerous big-name organisations that can't correctly send both plaintext and HTML versions of their emails, and don't understand the mandatory headers required by RFC, and and and... in larger organisations I wouldn't be surprised to see significant siloed thinking and people who literally don't carry any expertise for anything except for their own tasking. Including, for example, being trained in the use of a tool but not really understanding what that tool does. I think of it in a similar way to the smartphone generation who are used to easy-to-use UX at the expense of anything that might provide you with technical context, or worse, troubleshooting. "I'm sorry, something went wrong" is not as useful as an error code that you can look up, for example. Symptomatic of some of my current frustrations in the industry. endrant

 

Agree, but the problem lies with the senders understanding of SPF and to clarify, the problems I've discovered are related to the internal IT workers or responsible admins for that organisation's mail/dns systems. Generally they will have a SPF record that covers their own servers/mx/hosts sending, but they negate to include external organisations who are sending mail on their behalf with the From address at @theirdomain for which they have a SPF record configured with a hard fail qualifier.

dimsim

847 posts

Ultimate Geek

Trusted
Lifetime subscriber

  #2835285 18-Dec-2021 15:16
Send private message

gorringS:

 

gorringefamily.co.nz Lookup - SPF-Record which shows results of that record I shared with you

 

 

Thanks, I'm fully aware of SPF and how it is configured, but the problem here is related to the senders possibly limited understanding of SPF.



gorringS
71 posts

Master Geek


  #2835289 18-Dec-2021 15:24
Send private message

they bunch idiots if 3rd party you referring to has hard fail set or misconfigured spf record they certainly wont get much in way  emails from anyone.

BlakJak
1249 posts

Uber Geek

Trusted

  #2835294 18-Dec-2021 15:58
Send private message

dimsim:

 

Agree, but the problem lies with the senders understanding of SPF and to clarify, the problems I've discovered are related to the internal IT workers or responsible admins for that organisation's mail/dns systems. Generally they will have a SPF record that covers their own servers/mx/hosts sending, but they negate to include external organisations who are sending mail on their behalf with the From address at @theirdomain for which they have a SPF record configured with a hard fail qualifier.

 

 

I'll just spell out again. If you own a domain and have email arranged for it and have explicitly set an SPF record with a hardfail, you're making it very clear other places cannot and should not send email on your behalf.

 

 

External organisations that send email on your behalf are either:

 

- Doing it with your consent, so you can talk to them about required changes to SPF to enable this, OR

 

- Doing it without your consent, so SPF is working exactly as designed.

 

 

It's one or the other. If your IT vendor/provider isn't working with you to cover off why they could possibly want to send email on behalf of your domain beforehand, they're incompetent, because IT vendors should 'just know' this stuff.

 

 

And for the record, there aren't many cases where a third party or cloud service needs to send email using your corporate/primary domain name. You can configure subdomains or alternate domains to suit the purpose. Or let them send using their own domain, and configure a Reply-To: header if you need to capture responses.

 

When selecting an arrangement for this you need to also consider backscatter (bounce errors), something else people fail to think about often.

 

 

Across my career i've found a variety of supposedly smart IT and IT-related vendors surprisingly hit-and-miss on doing this well.




No signature to see here, move along...

xpd

xpd
Geek @ Coastguard NZ
13719 posts

Uber Geek

Retired Mod
ID Verified
Trusted
Lifetime subscriber

  #2835300 18-Dec-2021 16:45
Send private message

I've had SPF running for a while now, mainly because sending ANY emails to anyone @xtra was a massive fail :D Was a bit of fiddling but got there. Only just this week set up DKIM, but cheated, cPanel tells you step by step what you need :D

 

 




       Gavin / xpd / FastRaccoon / Geek of Coastguard New Zealand

 

                      LinkTree -   kiwiblast.co.nz - Lego and more

 

       Support Kiwi music!   The People   Black Smoke Trigger   Like A Storm   Devilskin

 

                                            NZ GEEKS Discord______________________________

 

 

dimsim

847 posts

Ultimate Geek

Trusted
Lifetime subscriber

  #2835301 18-Dec-2021 16:52
Send private message

gorringS:

 

they bunch idiots if 3rd party you referring to has hard fail set or misconfigured spf record they certainly wont get much in way  emails from anyone.

 

 

 

 

Poor SPF configuration won't affect the 3rd party you're referring to RECEIVING email... it will simply hinder the delivery of email FROM that 3rd party e.g the message being junked due to a soft/hard qualifier or Failed if the receiving server admin has a policy to do that.

dimsim

847 posts

Ultimate Geek

Trusted
Lifetime subscriber

  #2835302 18-Dec-2021 17:08
Send private message

BlakJak:
dimsim:

 

Agree, but the problem lies with the senders understanding of SPF and to clarify, the problems I've discovered are related to the internal IT workers or responsible admins for that organisation's mail/dns systems. Generally they will have a SPF record that covers their own servers/mx/hosts sending, but they negate to include external organisations who are sending mail on their behalf with the From address at @theirdomain for which they have a SPF record configured with a hard fail qualifier.

 

I'll just spell out again. If you own a domain and have email arranged for it and have explicitly set an SPF record with a hardfail, you're making it very clear other places cannot and should not send email on your behalf. External organisations that send email on your behalf are either: - Doing it with your consent, so you can talk to them about required changes to SPF to enable this, OR - Doing it without your consent, so SPF is working exactly as designed. It's one or the other. If your IT vendor/provider isn't working with you to cover off why they could possibly want to send email on behalf of your domain beforehand, they're incompetent, because IT vendors should 'just know' this stuff. And for the record, there aren't many cases where a third party or cloud service needs to send email using your corporate/primary domain name. You can configure subdomains or alternate domains to suit the purpose. Or let them send using their own domain, and configure a Reply-To: header if you need to capture responses. When selecting an arrangement for this you need to also consider backscatter (bounce errors), something else people fail to think about often. Across my career i've found a variety of supposedly smart IT and IT-related vendors surprisingly hit-and-miss on doing this well.

 

 

 

Hey look, I completely agree with what you're saying and understand. It is not me that has a misunderstanding of SPF (or need help with it, I've been administering Exchange since v5) - it is the various IT admins for organizations that I receive email from. I've only noticed this because I had my Exchange Server set to Fail any incoming message that failed SPF and thought I'd ask others here if they'd had the same experience.

 

In answer to my original question - i think the posts here make it quite clear that we agree that some organisations and the people responsible for managing their email systems have a mis EDIT: poor understanding of SPF

fearandloathing
503 posts

Ultimate Geek

ID Verified
Lifetime subscriber

  #2835303 18-Dec-2021 17:17
Send private message

No, not a lot of people understand SPF/DKIM/DMARC and their impact on mail delivery, further complicated by shadow IT and bulk email services, and let's not forget 3rd party vendors.

leaplae
218 posts

Master Geek

ID Verified

  #2835305 18-Dec-2021 17:36
Send private message

I've set up SPF/DKIM/DMARC for many companies and organisations. The largest blocker to fully implementing DMARC on a domain is all the SaaS services that don't support DKIM, and don't let you change the mail servers they send out from to your own... Questioning when this feature will be made available is usually 'you're the first to ask' or 'its on our roadmap, but not a priority'.

dimsim

847 posts

Ultimate Geek

Trusted
Lifetime subscriber

  #2835308 18-Dec-2021 17:46
Send private message

leaplae:

 

I've set up SPF/DKIM/DMARC for many companies and organisations. The largest blocker to fully implementing DMARC on a domain is all the SaaS services that don't support DKIM, and don't let you change the mail servers they send out from to your own... Questioning when this feature will be made available is usually 'you're the first to ask' or 'its on our roadmap, but not a priority'.

 

 

 

 

I know we use 365, Sugar, AWS and they all support DKIM but did a quick google and one noticeable exclusion was Oracle Fusion.

 

What are some examples of the SaaS products you've come across that dont support DKIM? This may be helpful to the community.

 1 | 2 | 3
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

Māori Artists Launch Design Collection with Cricut ahead of Matariki Day
Posted 15-Jun-2025 11:19

LG Launches Upgraded webOS Hub With Advanced AI
Posted 15-Jun-2025 11:13

One NZ Satellite IoT goes live for customers
Posted 15-Jun-2025 11:10

Bolt Launches in New Zealand
Posted 11-Jun-2025 00:00

Suunto Run Review
Posted 10-Jun-2025 10:44

Freeview Satellite TV Brings HD Viewing to More New Zealanders
Posted 5-Jun-2025 11:50

HP OmniBook Ultra Flip 14-inch Review
Posted 3-Jun-2025 14:40

Flip Phones Are Back as HMD Reimagines an Iconic Style
Posted 30-May-2025 17:06

Hundreds of School Students Receive Laptops Through Spark Partnership With Quadrent's Green Lease
Posted 30-May-2025 16:57

AI Report Reveals Trust Is Key to Unlocking Its Potential in Aotearoa
Posted 30-May-2025 16:55

Galaxy Tab S10 FE Series Brings Intelligent Experiences to the Forefront with Premium, Versatile Design
Posted 30-May-2025 16:14

New OPPO Watch X2 Launches in New Zealand
Posted 29-May-2025 16:08

Synology Premiers a New Lineup of Advanced Data Management Solutions
Posted 29-May-2025 16:04

Dyson Launches Its Slimmest Vaccum Cleaner PencilVac
Posted 29-May-2025 15:50

OPPO Reno13 Pro 5G Review 
Posted 29-May-2025 15:33








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







Backblaze unlimited backup



RSS feeds
Main feed
Forums feed
Copyright
©2002-2025 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Affiliate links
Samsung
AliExpress
Wise
Sharesies
Hatch
GoodSync
Backblaze backup
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright