I’ve had a couple folks come to me recently for help troubleshooting SPF failures. The error messages said the SPF record was invalid, but by all checks it was valid. Eventually, we tracked the issue down to how many include files were in the SPF record. The SPF specification specifically limits the number of lookups that can happen during a SPF check. SPF implementations MUST limit the...
DMARC: Please Be Careful!
(Cross posted from Spam Resource.) Every couple of days, somebody new pops up on the DMARC-Discuss mailing list to ask some question or share an observation. It’s great to see people interested and joining the conversation. Clearly, DMARC interest and adoption are growing. What’s really frustrating, though, is that for about a quarter of the new subscribers, their first mailing list...
New player in the DMARC space
Over on the DMARC-Discuss list, Comcast announced they had turned on DMARC validation and companies that publish DMARC records should start receiving reports from Comcast.
Hotmail moves to SPF authentication
Hotmail has recently stopped using Sender ID for email authentication and switched to authenticating with SPF. The protocol differences between SenderID and SPF were subtle and most senders who were getting a pass at Hotmail were already publishing SPF records. From an email in my inbox from September: Authentication-Results: hotmail.com; sender-id=pass (sender IP is 65.55.240.72) header...
Gmail sending out warnings for 512 bit DKIM keys
As an update to yesterday’s post, Gmail is contacting postmasters at domains signing with 512 bit keys to warn them of the upcoming changes. This message also clarifies “DKIM keys failing.” Messages signed with 512 bit keys or less will be treated as unsigned by Gmail in the next week or so. Hello, We noticed that your domain is sending email to Gmail users that is DKIM signed...
Is Google failing DKIM keys shorter than 512 bits?
Today’s Wednesday question comes from Andrew B. and got pushed to Thursday so I could check a few more facts. Have @Gmail yet confirmed the @ReturnPath story that they’ll start failing weak DKIM sigs? RP cites no source: @hey4ndr3w The answer is that no one from Gmail has publicly confirmed that they’re failing to authenticate mail signed with weak DKIM keys. But conversations...
Outlook.com in practice
I’ve seen a few people talking about outlook.com and how it’s working. There aren’t many insights here but there are a couple. Images are not always showing up from all senders. There are two different “safe” sender lists: one for individuals and one for mailing lists. If you log in with a live.com account address (rather than a hotmail address or instead of creating...
Getting rid of the via at Gmail
There was a question submitted today about the verification process at Gmail. even though SPF authentication is passed, a via is added to mail sent from a webserver. The return-path is not the same as the visible from field, but there’s no way for me to change it. Does that mean I won’t be able to get rid of the via? This actually ties in to some research Steve and I did a few months ago about...
DMARC: an authentication framework
A new email industry group was announced this morning. DMARC is a group of industry participants, including large senders, large receivers and relevant intermediaries working on a framework to reduce the harm from phishing. DMARC is working on a standard to allow senders to publish sending policies and receivers to act on those policies. Currently, senders who want receivers to not deliver...
Gmail and the via
I was hoping to have a detailed post up today about the conditions where gmail presents the user with a “via” but time seems to have gotten away from me. But I can give you the conclusions. A via is presented to the user when you have a DKIM pass and the domain in the d= does not match the domain in the visible from address. In this case the interface shows via the d= domain. A via is...