BLOG

Hotmail moves to SPF authentication

Hotmail has recently stopped using Sender ID for email authentication and switched to authenticating with SPF. The protocol differences between SenderID and SPF were subtle and most senders who were getting a pass at Hotmail were already publishing SPF records.

From an email in my inbox from September:

Authentication-Results: hotmail.com; sender-id=pass (sender IP is 65.55.240.72) header.from=******@microsoft.discoverbing.com; dkim=fail (testing mode) header.d=microsoft.discoverbing.com; x-hmca=pass
X-SID-PRA: *********@microsoft.discoverbing.com
X-SID-Result: Pass
X-DKIM-Result: Fail(t)
X-AUTH-Result: PASS

From an email I just sent myself:

Authentication-Results: hotmail.com; spf=pass (sender IP is 209.85.214.174) smtp.mailfrom=*****@gmail.com; dkim=pass header.d=gmail.com; x-hmca=pass
X-SID-PRA: ****@gmail.com
X-AUTH-Result: PASS
X-SID-Result: PASS

And, since we’re here, let’s look at how to read the Authentication-Results line.

Authentication-Results: hotmail.com; spf=pass (sender IP is 209.85.214.174) smtp.mailfrom=*****@gmail.com; dkim=pass header.d=gmail.com; x-hmca=pass

Authentication-Results: header added by Hotmail to give authentication results.

hotmail.com: domain doing the authenticating.

spf=pass (sender IP is 209.85.214.174) smtp.mailfrom=*****@gmail.com: Authentication results for SPF. This tells you what IP Hotmail received the email from, as well SMTP.mailfrom address they used when checking the SPF. In this case, 209.85.214.174 is a google IP and is authorized to use gmail in the SMTP.mailfrom / return path / envelope from.

dkim=pass header.d=gmail.com: Says that the DKIM signature validated and the signing entity (d=) is gmail.com.

 

 

14 comments

  1. Brian G says

    In the more recent header are the lines below not implying that the PRA was identified and a check for SenderID also occurred?

    X-SID-PRA: ****@gmail.com
    X-SID-Result: PASS

    1. laura says

      I think that’s just Hotmail repurposing the old header fields for SPF. They’re not reporting SenderID results in the authentication results header, as they were before. If they were checking SenderID, too, then I would expect SPF= and sender-ID= in the header.

  2. En vrac, l’emailing cette semaine : SFR, Emarsys, SPF, SendGrid+Twilio, Testing, … | Badsender - Conseil Emailing & eCRM says

    [...] Hotmail moves to SPF authentication – Word to the Wise Hotmail has recently stopped using Sender ID for email authentication and switched to authenticating with SPF. The protocol differences b… [...]

  3. Anton M says

    Over the last two years or so that I’ve been looking at @Hotmail headers trying to figure out how/when/whether they will authenticate, the only consistent thing I’ve found is inconsistency! I never managed to get the SenderId records checked intentionally (in spite of spending hours trying to work out what I was filling in wrong on the form) – the only trigger that seemed to get things checked consistently was senders doing very large volumes. No one remembered filling in the form for at least one of the domains in question, though someone at the client may have done it at some stage…
    They’ve been sort of checking DKIM some of the time for a while now, though again it seems to be a complete lottery as to when. For a while I thought that if they didn’t check SenderId (for whatever reason) then they checked DKIM, and that seemed to be true for a while. There were always many “temperror” results – for the coders out there, it looks to me like a classic case of a try block in their code with an empty catch!
    Maybe there are lots of errors with validation with Yahoo and Gmail (and all the others) and it’s only Microsoft that is honest about it – my personal theory is that they’ve decided that @Hotmail authentication should be managed by interns. The latest may have decide to finally put SenderId to rest!

  4. Ram says

    Hotmail still seems to check the SPF record of the PRA
    We have seen even if the mail passes SPF but still the PRA SPF fails then hotmail blacklists the IP after some time

  5. Óscar says

    Hi.

    Starting on December 7th, we have been receiving Hotmail error reports related to emails that we send to addresses that are are forwarded to @hotmail.com addresses. We receive the errors at our postmaster address and they contain this message:

    This is an email abuse report for an email message received from IP ?.?.?.? on Fri, 7 Dec 2012 11:15:28 -0800.
    The message below did not meet the sending domain’s authentication policy.
    For more information about this format please see http://www.ietf.org/rfc/rfc5965.txt.

    We think that this can be related to what you comment on this post because we haven’t changed anything on our side.

    By the way, our SPF record is finished by ~all so we understand that Hotmail should not reject the emails in any case.

    Have you noticed something similar? What could we do about it?

    Thanks!
    Oscar

  6. Nathan says

    Oscar – I am pulling my hair out with the exact same problem. We are getting an “abuse” report on a lot of emails that we send that are forwarded to hotmail addresses. Mostly college students forwarding their .edu email to hotmail. Does anyone have insight into why this is happening? It is generating a lot of false abuse reports.

  7. Óscar says

    Hi Nathan.
    Still the same problem here. Are you also using ~all at the end of your SPF record ?
    I think that Hotmail is (wrongly) interpreting ~all (softfail) as if it was -all (fail). If Hotmail does not fix this and the problem persists for a few days we will try removing the ~all from the SPF entry. Maybe this will fix this issue, but then IMHO the SPF record is almost worthless.

  8. Nathan says

    Yes we do use ~all. What I don’t understand is why this is only happening with hotmail. We don’t get this issue with ANY other ISP. I assume this means that hotmail is not implementing SRS. I tried to talk to hotmail postmaster support, but they were very unhelpful.

  9. Óscar says

    It looks like Hotmail is doing changes related to this issue almost right now because we have just received an email report with a different subject line. Now it includes the prefix [POSSIBLESPAM] before the original subject.
    I hope they notice the error and fix it…

  10. Nathan says

    Yeah and I finally got someone from their postmaster support to admit there is something going on and they are looking at it.

  11. Troubleshooting tools – Word to the Wise says

    [...] have been a number of comments on my post about Hotmail moving to SPF authentication having to do with troubleshooting authentication failures. I have been helping clients troubleshoot [...]

  12. Óscar says

    Did you get any feedback from Hotmail? We are still receiving errors…

  13. Erik says

    Does anyone have a link to information published by Microsoft saying that they are actually doing SPF checking and as from when?

Comment:

Your email address will not be published. Required fields are marked *

  • ReturnPath on DMARC+Yahoo

    Over at ReturnPath Christine has an excellent non-technical summary of the DMARC+Yahoo situation, along with some solid recommendations for what actions you might take to avoid the operational problems it can cause.No Comments


  • AOL problems

    Lots of people are reporting ongoing (RTR:GE) messages from AOL today.  This indicates the AOL mail servers are having problems and can't accept mail. This has nothing to do with spam, filtering or malicious email. This is simply their servers aren't functioning as well as they should be and so AOL can't accept all the mail thrown at them. These types of blocks resolve themselves. 1 Comment


  • Fixing discussion lists to work with new Yahoo policy

    Al has some really good advice on how to fix discussion lists to work with the new Yahoo policy. One thing I would add is the suggestion to actually check dmarc records before assuming policy. This will not only mean you're not having to rewrite things that don't need to be rewritten, but it will also mean you won't be caught flat footed if (when?) other free mail providers start publishing p=reject.No Comments


Archives