Sender ID Framework SPF Record Wizard

Discussion in 'DNS Server' started by Phil, Jun 25, 2005.

  1. Phil

    Phil Guest

    News has it that Microsoft in September will make it mandatory for mail
    servers sending mail to MSN.com and Hotmail.com to comply with their Secure
    ID framework. Currently, Microsoft's technical support for this soon to be
    requirement is non-existent. You can find RFCs and technical documents at
    http://www.microsoft.com/mscorp/safety/technologies/senderid/default.mspx

    But as far as support...it doesn't exist.

    The above URL does provide a link to a Sender ID Framework SPF Record
    Wizard (
    http://www.anti-spamtools.org/SenderIDEmailPolicyTool/Default.aspx ), but
    the wizard itself is flawed. For starters, it doesn't work with Internet
    Explorer 5! Every page of the wizard generates run-time errors.

    For instance on steps 2 and 3, the following code line is faulty:

    var oPopup = window.createPopup();

    Then when one moves from step 3 to step 4, the following code (marked belwo
    with -> ) is faulty, and prevents the user from proceding to step 4:

    function RegularExpressionValidatorEvaluateIsValid(val) {
    var value = ValidatorGetValue(val.controltovalidate);
    if (ValidatorTrim(value).length == 0)
    return true;
    -> var rx = new RegExp(val.validationexpression);
    var matches = rx.exec(value);
    return (matches != null && value == matches[0]);

    And on Step 3, you receive a red warning message about "One or more domain
    names have invalid syntax" whenever you enter a domain that begins with a
    number, such as "911.com" This is for the field marked, "Enter any
    additional domain names whose MX records refer to valid outbound e-mail
    servers for pc-shareware.com (one domain name per line)."

    Then on step 4, the instructions state, "Your SPF record must be published
    in DNS records of type TXT" but the instructions fail to indicate what
    RECORD NAME the administrator should use when creating the new record!

    Microsoft should stop arrogantly demanding compliance from email providers
    around the world while they at the same time providing near zero support and
    few instructions on how to become compliant. Their buggy web site, and lack
    of simple instructions written in plain English points to this Sender ID
    effort becoming a massive failure.
     
    Phil, Jun 25, 2005
    #1
    1. Advertisements

  2. In
    Have you tried the wizard at http://spf.pobox.com ?
    The record you need, if using the DNS management console is (same as parent
    folder) type TXT or if you are editing the zone file it is @ type TXT.

    This not just Microsoft, AOL has been requiring SPF or matching PTRs and MX
    records for quite some time. This is to prevent someone from sending mail to
    other's mail servers from your domain but not using your authorized mail
    servers or IP addresses. This is to protect you from someone spamming
    someone else using your email address.


    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Jun 25, 2005
    #2
    1. Advertisements

  3. Phil

    Phil Guest

    Have you tried the wizard at http://spf.pobox.com ?

    I have tried http://spf.pobox.com but it is just as unhelpful as
    Microsoft's wizard.

    The results of both site's wizards have been entered as a "Other new
    records" in IIS5 with "Resource record type" TXT.

    I type in "spf" for the record name, and paste the text from either wizard
    site into the "Text" region (which, by the way, no one ever states whether
    the text should be a single line or multilines with carriage returns. I've
    tried both.

    I click "OK" and then send a test email to 25.com

    The results come back with useless information:

    Summary of Results

    mail-from check: neutral

    PRA check: neutral

    DomainKeys check: neutral (message not signed)

    Details:

    HELO hostname: mydomain.com

    Source IP: (withheld for privacy reasons)

    mail-from:

    PRA Header: from

    PRA:

    SPF TXT record/s:

    PRA TXT record/s:

    Domain Key TXT record:

    None
     
    Phil, Jun 25, 2005
    #3
  4. In Phil <> posted this:

    Please read inline.
    Leave the name field blank, it must come up by your mail domain name.
    Here is an example using my default mail domain:
    QUESTION SECTION:
    wftx.us. IN ANY

    ANSWER SECTION:
    wftx.us. 3600 IN RP admin.lsaol.com. lsaol.com.
    wftx.us. 172800 IN TXT "v=spf1 ip4:65.65.91.208/29
    mx a:mail.lsaol.com a:mail.lonestaramerica.com a:mail.wftx.us mx:wftx.us
    mx:lsaol.com mx:lonestaramerica.com ~all"
    wftx.us. 3600 IN MX 10 mail.lsaol.com.
    wftx.us. 3600 IN MX 20 mail.lonestaramerica.com.
    wftx.us. 3600 IN MX 30 mail.wftx.us.

    Having your mail server use your domain name as its HELO name is not a best
    practice. Give your mail server a name like mail.mydomain.com and use that
    as the HELO name and PTR name.





    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Jun 25, 2005
    #4
  5. Phil

    Phil Guest

    Leave the name field blank, it must come up by your mail domain name.

    Thanks. That solved the problem, but it also begs the question: "Why in the
    world don't the two SPF wizard sites mention this?"

    Now when I send a test email I get the following response back:
    SPF TXT record/s:

    v=spf1 a mx ptr a:mydomain.com a:my-domain.com ip4:63.101.1.2 ip4:63.101.1.3
    include:cox.com ~all

    PRA TXT record/s:

    v=spf1 a mx ptr a:mydomain.com a:my-domain.com ip4:63.101.1.2 ip4:63.101.1.3
    include:cox.com ~all

    Domain Key TXT record:

    None

    I'm not sure what this Question/Answer stuff is all about. I've never come
    across the terms "Question" and "Answer" in respect to DNS.

    I'm not sure what is wrong with my HELO? Why is it not a best practice?

    Also, here is my DNS data (with the domain and IP addresses obfuscated):

    @ A 63.101.1.2
    @ MX 1 mail.my-domain.com.
    mail A 63.101.1.2
    ns1 A 63.101.1.2
    ns2 A 63.101.1.3
    pcs A 63.101.1.2
    secure A 63.101.1.5
    @ TXT ( "v=spf1 a mx ptr a:mydomain.com a:my-domain.com
    ip4:63.101.1.2 ip4:63.101.1.3 include:cox.com ~all" )
    www A 63.101.1.2


    Phil
     
    Phil, Jun 25, 2005
    #5
  6. In
    I suppose they assume you already knew it.


    This is the format Dig and Netdig use when doing lookups, I don't use
    nslookup, unless I have to.
    Your MX record says your mail server host name is mail.my-domain.com., that
    is the name you should use for the HELO name. Why?
    When your SMTP server connects to another SMTP server, the receiving SMTP
    server may do one of a number of things, do a PTR lookup for the IP your
    SMTP connects from and/or it does a PTR lookup for the HELO name. If these
    two names don't match, or the IP for these names don't match, or the MX
    record says the mail server name doesn't match the HELO name, you are taking
    a chance of having mail rejected from your SMTP server.

    Best practice is to make sure all these names match or some SMTP servers
    will reject your mail.

    On a side note, you may already know this, but if your mail server
    sends/receives mail for multiple domains, the MX record in those other
    domains MUST point to your SMTP server's host/HELO name. You cannot use
    aliases for SMTP server host names. I've seen some admins use multiple host
    names for the same SMTP server in MX records. This is not good. No matter
    what the domain name is, the MX record for that domain must point to your
    SMTP host name. You can use aliases for mail clients to retreive mail, but
    the SMTP host name remains the same.




    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Jun 25, 2005
    #6
  7. Phil

    Phil Guest

    Your MX record says your mail server host name is mail.my-domain.com.,
    that

    OK. The next question is, HOW does one change the HELO name?

    I'm all confused now. There other virtual domains on my server, that use
    the mail.my-domain.com mail server. For each of the virtual domains, a DNS
    record exists, which includes the following line:

    @ MX 10 mail.my-domain.com.

    I can't tell from your "warning" above whether this is good or bad.

    In a similar vain, what must I do so that all of the virtual domains won't
    have a problem with the Sender ID framework?

    Phil
     
    Phil, Jun 25, 2005
    #7
  8. Phil

    Herb Martin Guest

    Microsoft should stop arrogantly demanding compliance from email providers
    lack

    Did you ask HERE for SPF technical support?

    This is PART of Microsoft's techical support strategy.

    And if you ask POLITELY, exhibiting a desire to learn instead
    of complain about something you aparently don't understand yet,
    then I am certain that someone here will help you with SPF.

    For that matter, you can probably continue your rudeness and
    we will help you anyway -- but it won't be as much fun <grin>
     
    Herb Martin, Jun 25, 2005
    #8
  9. Phil

    Herb Martin Guest

    Technically you should use whatever your machine IP reverses
    to when doing a reverse lookup on it's PTR record for the IP.

    That the MX should be assigned to THIS name is the other way
    around (if the box is a receiving mail server which isn't a mandatory
    requirement.)

    Depends on the email server but most (practically all ) have this
    setting.

    What is your public email server?

    Right. If the mail server is using mail.my-domain.com for it's
    HELO and that is it's PTR record name -- then ALL of the
    mail servers for which it receives mail will use a (virtually)
    identical setting in their MX records.

    (Of course the NAME of the record will be different, the name
    of each domain, but they will all point the MX to the SAME
    name on the data, or right hand, side.)
     
    Herb Martin, Jun 25, 2005
    #9
  10. Phil

    Phil Guest

    Technically you should use whatever your machine IP reverses

    So how does one perform a reverse lookup on a PTR record for an IP?


    The server in question sends and receives mail, hosts web sites, and accepts
    FTP connections. It's an IIS 5/Win2000 Server running IMail 6.

    There's nothing in Imail 6's admin panel for "HELO name"


    What do you mean by "what is..."?


    Well, it is not using MAIL.my-domain.com as it's HELO. It's set to
    my-domain.com.

    Unfortunately you've lost me.

    Phil
     
    Phil, Jun 25, 2005
    #10
  11. Phil

    Phil Guest

    Did you ask HERE for SPF technical support?

    Yes, of course.
    There is nothing about this newsgroup at Microsoft's Secure ID home page. I
    came to the Microsoft newsgroup because I've used other newsgroup sections
    before and thought I might stumble across something relevant to my problem.
    I thought perhaps others who have recently heard the news have run into the
    same problem I have. I came to the Microsoft root newsgroup and did a
    search for "senderid" and came up with nothing. Then I tried "mail" and
    came up with nothing. Then I tried "dns" out of desperation, and vented my
    frustration via a posting.
    How can I understand when Microsoft demands compliance but provides so
    little in the way of easy to understand instructions?

    Surely you've been in situations where technical details on a product are
    lacking, and it is impossible to contact the company responsible for the
    confusion? The result is frustration and anger, no?
    To point out the deficiency of Microsoft's support is not rudeness. It is
    criticism.

    Phil
     
    Phil, Jun 25, 2005
    #11
  12. In
    I've had some experience with Imail, each Imail virtual server has to have
    its own IP, if you have set each up on its own virtual server. It uses the
    name you have given to each virtual server.
    On later versions of Imail you can configure the HELO greeting.

    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Jun 25, 2005
    #12
  13. Phil

    Phil Guest

    I've had some experience with Imail, each Imail virtual server has to have
    I'm sorry, but you have lost me. Which of my questions was your response
    addressing? When you say "...if you have set each up...", what is the
    "each" referring to?

    Phil
     
    Phil, Jun 26, 2005
    #13
  14. Phil

    Herb Martin Guest

    --
    Herb Martin, MCSE, MVP
    Accelerated MCSE
    http://www.LearnQuick.Com
    [phone number on web site]

    He was likely answering this question of years immediately previous in the
    thread:
    But his answer (like) mine was general since I didn't know which
    SMTP server you were using and he understands that IMail (presumably
    your server) differs by version.

    Today, if you server doesn't offer this choice you really should upgrade
    or switch. There are plenty of inexpensive servers and many free ones
    that can do such things correctly.

    It will be covered under some setting (frequently blank by default, and
    defaulting to machine name) such as "Announce myself as" (Mercury),
    in IIS6 SMTP "Advanced Delivery: Fully Qualified Domain Name",
    or EXIM "primary_hostname", etc. -- the point is that the names for
    this feature vary across email systems.

    From your other post (consolidating):
    You can check it by typing (at the command line):

    nslookup IP.Add.To.Lookup

    (Ignore any initial error about DNS server names and concentrate on the
    actual answer to the question which nslookup will show down below...)

    For instance:

    nslookup 64.233.185.114

    (one of the GMail MX servers.)

    You will get back gsmtp185-2.google.com which shows that Gmail's
    domain doesn't even use a server in same "domain" to deliver it's email.

    If this Gmail server were to (injudiciously) report itself as
    "mail1.gmail.com"
    many receiving email servers would refuse mail from it.

    SPF is not a technical requirement, it is rather a business rules
    requirement. Setting up is trivial, knowing what to put in the
    setup is either easy (e.g., the wizard on spf.pobox.com gets it
    right on the first try) or mildly challening (e.g., you have a variety
    of servers which legitimately send email for you and the easy
    choices don't cover that.)
     
    Herb Martin, Jun 26, 2005
    #14
  15. In
    Microsoft doesn't demand compliance from any other vendor. Microsoft follows
    compliance for their products and services, for the most part, as well as
    other vendors out there. For the most part, email services are pretty
    strictly followed by Microsoft, as well as other services and products that
    follow RFCs or other Internet or IEEE standards.

    Keep in mind, SPF is not a Microsoft product. There is no built in
    mechanism to use SPF.

    But you're using Imail anyway, so that's a moot point. Does Imail have a
    built in mechanism to use SPF?
    Microsoft is trying to help out with SPF by pointing to ANOTHER vendor for
    help, since theire products do not DIRECTLY support it, but with 3rd party
    help, it can use it.

    I guess it comes down to understanding what the product is, and doing a
    search on it instead of directly blaming MIcrosoft for something that's not
    theirs to begin with, and along that line, you are using Imail, and not
    Exchange.

    DNS SPF records are purely TXT records anyway, and MS DNS does follow all
    the RFCs and then some (AD integrated zones, mult-masters, etc).

    Some folks look at it as rude for the straight forward stab as your post
    seems to have implied, and as I have interpreted it as someone not knowing
    where to look for an answer to a question, and decided to take a stab at the
    operating system vendor before just asking. Just asking, as you've already
    seen, has generated alot of help, despite some of the remarks.

    I would love to spread the word for every admin out there to use the
    Microsoft Public newsgroups to ask for help. It's a great forum.


    --
    Regards,
    Ace

    Please direct all replies ONLY to the Microsoft public newsgroups
    so all can benefit.

    This posting is provided "AS-IS" with no warranties or guarantees
    and confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft Windows MVP - Windows Server - Directory Services
    Infinite Diversities in Infinite Combinations.
    =================================
     
    Ace Fekay [MVP], Jun 26, 2005
    #15
  16. Is this SPF or something else? I thought they wanted SPF by October
    of last year for hotmail/msn.com etc.

    Thanks.
    Andrew.
     
    Andrew Hodgson, Jun 26, 2005
    #16
  17. Phil

    Phil Guest

    Is this SPF or something else? I thought they wanted SPF by October
    Here are some quotes from the article that triggered my recent trek of
    frustration...

    ---- begin ------

    Sometime around November, Hotmail and MSN will flag as potential spam those
    messages that do not have the tag to verify the sender...

    "All domain holders and e-mail senders should be publishing SPF records and
    planning to do that now if they want to improve the legitimacy of their
    mail, plus protect their domain and consumers. It is the responsible thing
    to do," Microsoft's Spiezle said.
    Turning on the filters at Hotmail and MSN will give e-mail senders a reason
    to adopt Sender ID, Spiezle said. Without an incentive, many have said that
    they won't publish SPF records, he said. "We're in a catch-22," he said.
    "What we're trying to do is to do the right thing by giving everyone advance
    notice."

    However, this Microsoft effort to push adoption of Sender ID is likely to
    fail, certainly with such a short deadline, said Jonathan Penn, an analyst
    at Forrester Research. "Hotmail is in no position to dictate that
    organizations adopt Sender ID," he said.

    ....

    Microsoft argues that publishing SPF records is simple.

    -------- end of snippet ------

    Publishing SPF records COULD be simple if Microsoft posted SIMPLE
    instructions for those like me who don't live, breathe and eat DNS on a
    daily basis.

    You can read the entire article at http://tinyurl.com/c7eg3

    Phil
     
    Phil, Jun 27, 2005
    #17
  18. Phil

    Phil Guest

    Today, if you server doesn't offer this choice you really should upgrade
    It costs nearly $1000 to upgrade.

    Can you name a few?

    I see nothing obvious in IMail that pertains to the HELO name.

    In November it will become a requirement if you expect mail sent to Hotmail
    and MSN not to bounce back or be flagged as SPAM.

    If I am a web hosting company, and have 200 virtual domains on my IIS
    5.0/Win 2000 Server server, I don't consider having to add 200 new DNS TXT
    entries as "trivial". A PITA is a more appropriate term.

    Phil
     
    Phil, Jun 27, 2005
    #18
  19. Phil

    Phil Guest

    Microsoft doesn't demand compliance from any other vendor.

    Ace,

    All I know is that come November ALL email sent to Hotmail and MSN will be
    marked as SPAM by Microsoft unless the sending mail server is SPF compliant.

    No, it does not.

    Microsoft is to blame for strong arming compliance but not providing
    adequate information or tools to those of us who do not eat, sleep and drink
    DNS on a daily basis. I set up my colocated server 4 years ago, and DNS was
    and still a mystery to me. I got help back then and have avoided messing
    with it ever since.

    I fail to see what Imail has to do with this. Microsoft is strong arming
    ALL email servers to comply to SPF.

    I guess one man's frustration is another man's rudeness.

    And I do appreciate the assistance, although I still have more unanswered
    questions than I do resolved issues.

    Phil
     
    Phil, Jun 27, 2005
    #19
  20. In
    As do probably AOL and a number of other content providers. I can understand
    the urgency and it is a step in the right direction of combatting the
    current growing spam problem.

    I'm sure Microsoft didn't make the decision lightly and without considering
    all the ill effects it would cause providers out there. How else would you
    suggest to combat spam?

    There have been some suggestions to combat spam, such as SPF. Microsoft had
    one similar to SP called SenderID, with added parameters of using XML as an
    authentication scheme and may well get adopted as well, a little more
    complicated:
    http://www.microsoft.com/presspass/press/2004/may04/05-25spfcalleridpr.mspx

    It seems everyone now is accepting SPF as a step in the right direction as a
    partial solution other than everyone out there obtaining a digital
    certificate for their MTAs (SMTP servers) to authenticate their mail
    sessions. That is the one way to kill spam, but I think that wil take years
    to adopt, if it does at all. So SPF seems to be the way.

    So would you strike at AOL as well as Microsoft for adopting SPF?

    Will new authentication technology spell the end of spam?:
    http://techrepublic.com.com/5100-1009_11-5677961.html?tag=nl.e106

    or maybe this solution as I hinted at:
    http://techrepublic.com.com/5208-11193-0.html?forumID=4&threadID=172722&messageID=1757659

    Which is also discussed here (with a good history of SMTP and how it came
    about and was based on 'trusting' others out there to follow the unwritten
    rule of not spamming...
    Is it time to replace SMTP?:
    http://techrepublic.com.com/5100-1009-5729720.html?tag=nl.e044


    Neither does Exchange. So I guess it would bother admins that use Exchange
    as well, about adopting SPF. Unfortunately, a 3rd party tool will be
    required for an Exchange server, as well as Imail, to check against an SPF
    TXT record.

    Believe me, I deal with Exchange email servers almost on a daily basis wtih
    my clients, and I understand the implications and have made steps in the
    right direction. I have already created SPF records for all my hosted
    domains and my clients' domains as well. I'm preparing for the future to
    help combat spam as best as the tools provided us.
    They are not strong arming anyone. They are just saying, this is what we are
    going to do, (as well as others out there), and for MSN and Hotmail servers
    to know your server is legit, you'll need to take that step into the future.

    I believe your 'strong arm' comment came from this article talking about
    SenderID:
    Microsoft pushes spam-filtering technology (Last modified: June 22, 2005,
    6:25 PM PDT):
    http://msn-cnet.com.com/Microsoft+pushes+spam-filtering+technology/2100-7355_3-5758365.html

    And I agree with Microsoft, publishing an SPF TXT record is rather simple,
    as stated in that article, and using the wizard at http://spf.pobox.com
    Like I said, even with Exchange, it would require a 3rd party addition to
    implement it, unless they release a future service pack with built in
    mechanism to use SPF. I would also assume many email software vendors will
    provide a built in addition to use it.
    I guess that's one way of putting it.
    I hope we can help you with your unanswered questions. At least you've found
    the right place for help.

    Ace
     
    Ace Fekay [MVP], Jun 27, 2005
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.