Hotmail has recently stopped using Sender ID for email authentication and switched to authenticating with SPF. The protocol differences between SenderID and SPF were subtle and most senders who were getting a pass at Hotmail were already publishing SPF records.
From an email in my inbox from September:
Authentication-Results: hotmail.com; sender-id=pass (sender IP is 65.55.240.72) header.from=******@microsoft.discoverbing.com; dkim=fail (testing mode) header.d=microsoft.discoverbing.com; x-hmca=pass
X-SID-PRA: *********@microsoft.discoverbing.com
X-SID-Result: Pass
X-DKIM-Result: Fail(t)
X-AUTH-Result: PASS
From an email I just sent myself:
Authentication-Results: hotmail.com; spf=pass (sender IP is 209.85.214.174) smtp.mailfrom=*****@gmail.com; dkim=pass header.d=gmail.com; x-hmca=pass
X-SID-PRA: ****@gmail.com
X-AUTH-Result: PASS
X-SID-Result: PASS
And, since we’re here, let’s look at how to read the Authentication-Results line.
Authentication-Results: hotmail.com; spf=pass (sender IP is 209.85.214.174) smtp.mailfrom=*****@gmail.com; dkim=pass header.d=gmail.com; x-hmca=pass
Authentication-Results: header added by Hotmail to give authentication results.
hotmail.com: domain doing the authenticating.
spf=pass (sender IP is 209.85.214.174) smtp.mailfrom=*****@gmail.com: Authentication results for SPF. This tells you what IP Hotmail received the email from, as well SMTP.mailfrom address they used when checking the SPF. In this case, 209.85.214.174 is a google IP and is authorized to use gmail in the SMTP.mailfrom / return path / envelope from.
dkim=pass header.d=gmail.com: Says that the DKIM signature validated and the signing entity (d=) is gmail.com.
In the more recent header are the lines below not implying that the PRA was identified and a check for SenderID also occurred?
X-SID-PRA: ****@gmail.com
X-SID-Result: PASS
I think that’s just Hotmail repurposing the old header fields for SPF. They’re not reporting SenderID results in the authentication results header, as they were before. If they were checking SenderID, too, then I would expect SPF= and sender-ID= in the header.
[…] Hotmail moves to SPF authentication – Word to the Wise Hotmail has recently stopped using Sender ID for email authentication and switched to authenticating with SPF. The protocol differences b… […]
Over the last two years or so that I’ve been looking at @Hotmail headers trying to figure out how/when/whether they will authenticate, the only consistent thing I’ve found is inconsistency! I never managed to get the SenderId records checked intentionally (in spite of spending hours trying to work out what I was filling in wrong on the form) – the only trigger that seemed to get things checked consistently was senders doing very large volumes. No one remembered filling in the form for at least one of the domains in question, though someone at the client may have done it at some stage…
They’ve been sort of checking DKIM some of the time for a while now, though again it seems to be a complete lottery as to when. For a while I thought that if they didn’t check SenderId (for whatever reason) then they checked DKIM, and that seemed to be true for a while. There were always many “temperror” results – for the coders out there, it looks to me like a classic case of a try block in their code with an empty catch!
Maybe there are lots of errors with validation with Yahoo and Gmail (and all the others) and it’s only Microsoft that is honest about it – my personal theory is that they’ve decided that @Hotmail authentication should be managed by interns. The latest may have decide to finally put SenderId to rest!
Hotmail still seems to check the SPF record of the PRA
We have seen even if the mail passes SPF but still the PRA SPF fails then hotmail blacklists the IP after some time
Hi.
Starting on December 7th, we have been receiving Hotmail error reports related to emails that we send to addresses that are are forwarded to @hotmail.com addresses. We receive the errors at our postmaster address and they contain this message:
This is an email abuse report for an email message received from IP ?.?.?.? on Fri, 7 Dec 2012 11:15:28 -0800.
The message below did not meet the sending domain’s authentication policy.
For more information about this format please see http://www.ietf.org/rfc/rfc5965.txt.
We think that this can be related to what you comment on this post because we haven’t changed anything on our side.
By the way, our SPF record is finished by ~all so we understand that Hotmail should not reject the emails in any case.
Have you noticed something similar? What could we do about it?
Thanks!
Oscar
Oscar – I am pulling my hair out with the exact same problem. We are getting an “abuse” report on a lot of emails that we send that are forwarded to hotmail addresses. Mostly college students forwarding their .edu email to hotmail. Does anyone have insight into why this is happening? It is generating a lot of false abuse reports.
Hi Nathan.
Still the same problem here. Are you also using ~all at the end of your SPF record ?
I think that Hotmail is (wrongly) interpreting ~all (softfail) as if it was -all (fail). If Hotmail does not fix this and the problem persists for a few days we will try removing the ~all from the SPF entry. Maybe this will fix this issue, but then IMHO the SPF record is almost worthless.
Yes we do use ~all. What I don’t understand is why this is only happening with hotmail. We don’t get this issue with ANY other ISP. I assume this means that hotmail is not implementing SRS. I tried to talk to hotmail postmaster support, but they were very unhelpful.
It looks like Hotmail is doing changes related to this issue almost right now because we have just received an email report with a different subject line. Now it includes the prefix [POSSIBLESPAM] before the original subject.
I hope they notice the error and fix it…
Yeah and I finally got someone from their postmaster support to admit there is something going on and they are looking at it.
[…] have been a number of comments on my post about Hotmail moving to SPF authentication having to do with troubleshooting authentication failures. I have been helping clients troubleshoot […]
Did you get any feedback from Hotmail? We are still receiving errors…
Does anyone have a link to information published by Microsoft saying that they are actually doing SPF checking and as from when?
Problem still persist
from staff@hotmail.com
The message below did not meet the sending domain’s authentication policy.
For more information about this format please see http://www.ietf.org/rfc/rfc5965.txt.