Tagspf

November 5, 2019

Identifying domains that don’t accept or send email

By laura
2 Min read
1 comment
05November

A couple folks have asked me recently about MX records that they don’t understand. These records consist of a single . or they contain localhost or they are 127.0.0.1. In all cases, the domain owners use these records to signal that the domains don’t accept email. What do these records look like? Why do domains do this? In all cases it’s because the domain owners want to signal...

October 10, 2019

Microsoft and SPF

By laura
1 Min read
5 comments
10October

Many deliverability folks stopped recommending publishing SPF records for the 5322.from address to get delivery to Microsoft. I even remember Microsoft saying they were stopping doing SenderID style checking. A discussion on the emailgeeks slack channel has me rethinking that. It started out with one participant asking if other folks were seeing delivery improvement at MS if they added a SPF...

October 9, 2019

Why is DMARC failing?

By laura
2 Min read
6 comments
09October

Multiple times over the last few weeks folks have posted a screenshot of Google Postmaster tools showing some percentage of mail failing DMARC. They then ask why DMARC is failing. Thanks to how DMARC was designed, they don’t need to ask anyone this, they have all the data they need to work this out themselves. The DMARC protocol contains a way to request reports when DMARC authentication...

September 12, 2019

Null sender address

By laura
1 Min read
1 comment
12September

A question came up on the email geeks slack channel about empty from addresses. I asked if they meant the 5321 or 5322 from address which prompted a question about if you could even have a null 5321 from. Yes, you can and it’s commonly used for some types of email. 5321.from is the bounce address, and the domain used in SPF authentication. Null addresses, literally <>, are used for email...

March 5, 2019

SenderID is dead

By laura
2 Min read
5 comments
05March

A question came up on the email geeks slack channel (Join Here) about SenderID. They recently had a customer ask for SenderID authentication. We’ve written about it a few times: (Hotmail moves to SPF Authentication and Until it stops moving) but we’ve not actually stated the reasons why in a post. SenderID was basically SPF version 2. It tried to use the same mechanism as SPF to...

February 6, 2019

What SPF records should you publish?

By laura
3 Min read
3 comments
06February

When it comes to SPF records there seems to be a lot of confusion. I mean, a decade after I posted it Authenticating SPF is still the most frequently visited post on the site. And, of course, there are hundreds of other pages out there that discuss SPF and what to publish. Still, there are common questions. Most recently I’ve been addressing questions about what SPF records need to be...

October 19, 2018

SPF and TXT records and Go

By steve
3 Min read
1 comment
19October

A few days ago Laura noticed a bug in one of our in-house tools – it was sometimes marking an email as SPF Neutral when it should have been a valid SPF pass. I got around to debugging it today and traced it back to a bug in the Go standard library. A DNS TXT record seems pretty simple. You lookup a hostname, you get some strings back. Those strings can be used for all sorts of things, but...

December 21, 2017

Authentication is about Identity, not Virtue

By steve
1 Min read
3 comments
21December

I just got some mail claiming to be from “Bank of America <secure@bofasecure.com>”. It passes SPF: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=185.235.176.160; helo=bofasecure.com; It passes DKIM: Authentication-Results: mx.wordtothewise.com (amavisd-new); dkim=pass (1024-bit key) header.d=bofasecure.com The visible RFC 822 From address is strictly...

October 18, 2017

The feds are deploying DMARC

By steve
2 Min read
Add comment
18October

The US National Cybersecurity Assessments & Technical Services Team have issued a mandate on web and email security, including TLS+HSTS for web servers, and STARTTLS+SPF+DKIM+DMARC for email. It’s … pretty decent for a brief, public requirements doc. It’s compatible with a prudent rollout of email authentication. Set up a centralized reporting repository for DMARC failure...

May 26, 2017

Are they using DKIM?

By steve
3 Min read
3 comments
26May

It’s easy to tell if a domain is using SPF – look up the TXT record for the domain and see if any of them begin with “v=spf1”. If one does, they’re using SPF. If none do, they’re not. (If more than one does? They’re publishing invalid SPF.) AOL are publishing SPF. Geocities aren’t. For DKIM it’s harder, as a DKIM key isn’t published at a...

Recent Posts

Archives

Follow Us