Hotmail moves to SPF authentication


Hotmail has recently stopped using Sender ID for email authentication and switched to authenticating with SPF. The protocol differences between SenderID and SPF were subtle and most senders who were getting a pass at Hotmail were already publishing SPF records.
From an email in my inbox from September:

Authentication-Results:; sender-id=pass (sender IP is header.from=******; dkim=fail (testing mode); x-hmca=pass
X-SID-PRA: *********
X-SID-Result: Pass
X-DKIM-Result: Fail(t)

From an email I just sent myself:

Authentication-Results:; spf=pass (sender IP is smtp.mailfrom=*****; dkim=pass; x-hmca=pass
X-SID-PRA: ****
X-SID-Result: PASS

And, since we’re here, let’s look at how to read the Authentication-Results line.
Authentication-Results:; spf=pass (sender IP is smtp.mailfrom=*****; dkim=pass; x-hmca=pass
Authentication-Results: header added by Hotmail to give authentication results. domain doing the authenticating.
spf=pass (sender IP is smtp.mailfrom=***** Authentication results for SPF. This tells you what IP Hotmail received the email from, as well SMTP.mailfrom address they used when checking the SPF. In this case, is a google IP and is authorized to use gmail in the SMTP.mailfrom / return path / envelope from.
dkim=pass Says that the DKIM signature validated and the signing entity (d=) is

About the author


This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • In the more recent header are the lines below not implying that the PRA was identified and a check for SenderID also occurred?
    X-SID-PRA: ****
    X-SID-Result: PASS

  • I think that’s just Hotmail repurposing the old header fields for SPF. They’re not reporting SenderID results in the authentication results header, as they were before. If they were checking SenderID, too, then I would expect SPF= and sender-ID= in the header.

  • Over the last two years or so that I’ve been looking at @Hotmail headers trying to figure out how/when/whether they will authenticate, the only consistent thing I’ve found is inconsistency! I never managed to get the SenderId records checked intentionally (in spite of spending hours trying to work out what I was filling in wrong on the form) – the only trigger that seemed to get things checked consistently was senders doing very large volumes. No one remembered filling in the form for at least one of the domains in question, though someone at the client may have done it at some stage…
    They’ve been sort of checking DKIM some of the time for a while now, though again it seems to be a complete lottery as to when. For a while I thought that if they didn’t check SenderId (for whatever reason) then they checked DKIM, and that seemed to be true for a while. There were always many “temperror” results – for the coders out there, it looks to me like a classic case of a try block in their code with an empty catch!
    Maybe there are lots of errors with validation with Yahoo and Gmail (and all the others) and it’s only Microsoft that is honest about it – my personal theory is that they’ve decided that @Hotmail authentication should be managed by interns. The latest may have decide to finally put SenderId to rest!

  • Hotmail still seems to check the SPF record of the PRA
    We have seen even if the mail passes SPF but still the PRA SPF fails then hotmail blacklists the IP after some time

  • Hi.
    Starting on December 7th, we have been receiving Hotmail error reports related to emails that we send to addresses that are are forwarded to addresses. We receive the errors at our postmaster address and they contain this message:
    This is an email abuse report for an email message received from IP ?.?.?.? on Fri, 7 Dec 2012 11:15:28 -0800.
    The message below did not meet the sending domain’s authentication policy.
    For more information about this format please see
    We think that this can be related to what you comment on this post because we haven’t changed anything on our side.
    By the way, our SPF record is finished by ~all so we understand that Hotmail should not reject the emails in any case.
    Have you noticed something similar? What could we do about it?

  • Oscar – I am pulling my hair out with the exact same problem. We are getting an “abuse” report on a lot of emails that we send that are forwarded to hotmail addresses. Mostly college students forwarding their .edu email to hotmail. Does anyone have insight into why this is happening? It is generating a lot of false abuse reports.

  • Hi Nathan.
    Still the same problem here. Are you also using ~all at the end of your SPF record ?
    I think that Hotmail is (wrongly) interpreting ~all (softfail) as if it was -all (fail). If Hotmail does not fix this and the problem persists for a few days we will try removing the ~all from the SPF entry. Maybe this will fix this issue, but then IMHO the SPF record is almost worthless.

  • Yes we do use ~all. What I don’t understand is why this is only happening with hotmail. We don’t get this issue with ANY other ISP. I assume this means that hotmail is not implementing SRS. I tried to talk to hotmail postmaster support, but they were very unhelpful.

  • It looks like Hotmail is doing changes related to this issue almost right now because we have just received an email report with a different subject line. Now it includes the prefix [POSSIBLESPAM] before the original subject.
    I hope they notice the error and fix it…

  • Yeah and I finally got someone from their postmaster support to admit there is something going on and they are looking at it.

  • Does anyone have a link to information published by Microsoft saying that they are actually doing SPF checking and as from when?

By laura

Recent Posts


Follow Us