spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: SPF Rejection

2005-03-15 08:49:44
from [Stuart D. Gathman] [Permanent Link] 
On Tue, 15 Mar 2005, Slava Madrit wrote:


I was hoping someone can give me some help here.  We have had our SPF record
for salans.com setup for some time and have not had any issues.  Suddenly,
yesterday we got rejections from 2 separate domains.  I used the checker on
pobox and it said the message should have been accepted  since all of the SPF
info was correct.  So what is the problem and how do I send to these people
now, since they claim that the problem is on our end.  The checker message is
below. Any help would be greatly appreciated.
 
==================================================
server152-han.de-nserver.de rejected a message claiming to be from
smadrit(_at_)salans(_dot_)com(_dot_)
 
server152-han.de-nserver.de saw a message coming from the IP address
212.67.88.227 which is mail-cz.salans.com; the sender claimed to be
smadrit(_at_)salans(_dot_)com(_dot_)


I get PASS for that data also.  I am assuming that your HELO name is 
mail-cz.salans.com.  Bad HELO name is a common problem.

There seems to be a problem with their checker.  I suggest creating
a subdomain - or just using mail-cz.salans.com - with which to send
them email about the problem.  The subdomain can have no SPF record
(like mail-cz.salans.com), or an even simpler one (like "v=spf1 a").
Many SPF implementations have problems with the PTR mechanism.
Your domain fails the MX mechanism, and only passes because of PTR.

Actually, I suggest that mail-cz.salans.com have an spf record
of "v=spf1 a".  This ought to be redundant, since it was required
by rfc2821 before SPF was invented.  But so many clueless admins don't
comply with 2821, that it is necessary to tolerate bogus HELO domains
until compliance is explicitly published via SPF.

BTW, another possibility is that de-nserver.de is not checking SPF,
but has rolled their own IP address checking heuristic which does
not depend on published policy (a key feature of SPF) and goes
wrong with your setup.  Their rejection message does not mention SPF, 
and their message seems to imply that they expect all senders to have
a policy equivalent to "v=spf1 a -all".

-- 
              Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  SPF Rejection, Slava Madrit
Next by Date:  Re: SPF Rejection, Slava Madrit
Previous by Thread:  SPF Rejection, Slava Madrit
Next by Thread:  Re: SPF Rejection, Slava Madrit
Indexes:  [Date] [Thread] [Top] [All Lists]