For this article to make any sense whatsoever you have to understand that I enforce SPF in my mail system, which I described in SPF – not all it’s cracked up to be.
Well, some domain admins boldly eliminated their SOFTFAIL conditions – but didn’t quite manage to pull it off correctly! Today I ran into this example. A sender from the domain pclnet.net sent me email from IP 18.104.22.168 which I didn’t get – my SPF protection rejected it. The sender got an error:
550 IP Authorization check failed - psmtp
Let’s look at his SPF record with this DNS query:
$ dig txt pclnet.net
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.2 <<>> txt pclnet.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42145 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;pclnet.net. IN TXT ;; ANSWER SECTION: pclnet.net. 300 IN TXT "v=spf1 mx ip4:22.214.171.124 ip4:126.96.36.199 ip4:188.8.131.52 ipv4:184.108.40.206 ipv4:220.127.116.11 -all"
That IP, 18.104.22.168 is right there at the end. So what’s the deal?
Well, Google/Postini was called in for help. They apparently still have people who are on the ball because they noticed something funny about this SPF record, namely, that it isn’t correct. Notice that the first few IPs are prefixed with an ip4? Well the last IPs are prefixed with an ipv4! They are not both valid. In fact the ipv4 is not valid syntax and so those IPs are not considered by programs which evaluate SPF records, hence the rejection!
My recourse in this case was to remove SPF enforcement on an exception basis for this one domain.
It’s now a few months after my original post about SPF. I’m sticking with it and hope to increase its adoption more broadly. It has worked well, and the exceptions, such as today’s, have been few and far between. It’s a good tool in the fight against spam.