spf/sender id and hotmail

Hi,

I have spf records created and validated from every test tool/provider I can
find (i.e. Gmail, Return-Path, etc.). All pass except for hotmail. Any email
I send to hotmail fails spf/sender id validation and has the following
appended to the header:

X-Message-Status: n
X-SID-PRA: Eric <sender's email address>
X-SID-Result: TempError

Gmail on the other hand shows as:

Received-SPF: pass (gmail.com: domain of <email address> designates <ip
address of mail server> as permitted sender)

I'm struggling to find the issue. Any help would be greatly appreciated.

-Eric

 

I have spf records created and validated from every test tool/provider I
can

This one seems to be the defacto canonical tester...

http://www.kitterman.com/spf/validate.html

(Yes, I know it has no official standing but this is the one the folks on
the seem to rely on as the final arbitrator.
If you can find a true error in the tester I believe they will listen and
fix it.)

Also you might join that list as there are some very SPF-smart people
who will help you.

It was pretty silly to remove your email address if you want help since
we cannot check it.

We also need the SMTP server name and address.

Different servers validate to different levels of strictness or correctness.

Post the record and the other info if you wish help. Or do so on the SPF
discuss list.

 

Hi Herb,

Very valid points. Here is a complete message that does not validate through
hotmail's web site. The mail server is mail.dk.iconix.com (66.80.15.197)

-Eric

X-Message-Status: n
X-SID-PRA: Eric <>
X-SID-Result: TempError
X-Message-Info: JGTYoYF78jHg2VPRDK75XDEWq4wQbCUJAFw2NDIoxHw=
Received: from dk.iconix.com ([66.80.15.197]) by mc1-f34.hotmail.com with
Microsoft SMTPSVC(6.0.3790.211);
Tue, 23 Aug 2005 20:23:40 -0700
DKIM-Signature: a=rsa-sha1; c=nowsp; d=dk.iconix.com; s=dk1024;
t=1124853820; x=1125458620; i=; q=dns;
h=DomainKey-Signature:
Received:Receivedate:From:To:Subject:MIME-Version:Content-Type:
Message-ID; b=lag1YZBlMjJD9V5ibNFZCctII/UZDDyohoIrlXuQHsI/qGiacTA
NEwlPaOlVeH+6mPgIZKJokHvdaSO0XEbkSE3L1vM4rJN3t2UCvlP4Ra63JqlC9I0
cNXx/Mn4dZ5etdBYeuHwbwfT4x5et+XtSsaTq0PWxLOcyZfqgvsU1bnQ=
DomainKey-Signature: a=rsa-sha1; s=dk1024; d=dk.iconix.com;
c=simple; q=dns; h=from:message-id;
b=JneLp3xaXCzMZey5G9HL3Z8rxXd8fKqMmsUPrl9OBHVrct+fkPNyHgwwQHrP24am4nAwbVbXFaAQ0rqfcJZfvBxzZ2kQwRYN85W84o4XkUc0ECWaEY29zqtAYe4S9lNTVXwJ9vUR+WIciqDBrQfD3O1LqRNVpJdOpsadxGCFxS8=;
Received: from WorldClient by dk.iconix.com
(MDaemon.PRO.v8.1.1.R)
with ESMTP id md50000000472.msg
for <>; Tue, 23 Aug 2005 20:23:38 -0700
Received: from [69.107.134.142] via WorldClient with HTTP;
Tue, 23 Aug 2005 20:23:36 -0700
Date: Tue, 23 Aug 2005 20:23:36 -0700
From: "Eric" <>
To:
Subject: testing from dk
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="_0823-2023-36-PART-BREAK"
Message-ID: <>
X-Mailer: WorldClient 8.1.1
X-Authenticated-Sender:
X-Spam-Processed: mail.dk.iconix.com, Tue, 23 Aug 2005 20:23:38 -0700
(not processed: message from valid local sender)
X-Return-Path:
X-MDaemon-Deliver-To:
Return-Path:
X-OriginalArrivalTime: 24 Aug 2005 03:23:41.0040 (UTC)
FILETIME=[39847700:01C5A85B]

--_0823-2023-36-PART-BREAK
Content-Type: text/plain

testing

--_0823-2023-36-PART-BREAK
Content-Type: text/html

<HTML><BODY>
<DIV style="FONT-SIZE: 10pt; FONT-FAMILY: tahoma; BACKGROUND-COLOR: white">
testing</DIV>
</BODY></HTML>

--_0823-2023-36-PART-BREAK--

 

SPF checker on http://www.kitterman.com/spf/validate.html
validates 66.80.15.197 as legitimate source of email from


So returning to the Hotmail results (full results might help
more here too):

X-Message-Status: n
X-SID-PRA: Eric <sender's email address>
X-SID-Result: TempError

We might wonder if Hotmail is messed up, especially on a
temporary error which is usually (as I understand it) due to
DNS lookup failures (not finding server rather than record
missing or wrong) and such things which will cause an
unverifiable result which MAY be valid later but first we
should check YOUR DNS for correctness:

Doing NSLookup for:

nslookup -q=ns dk.iconix.com

....gives:
ns1.dnspark.net internet address = 69.44.153.5
ns2.dnspark.net internet address = 81.29.64.97
ns3.dnspark.net internet address = 66.98.161.195

And these servers don't seem able to return a TXT record for
the zone dk.iconix.com EVEN THOUGH the SPF checker seems
to have found it.

nslookup -q=txt dk.iconix.com 66.98.161.195
(or when specifying either of your other DNS servers:
81.29.64.97 and 69.44.153.5)

....does NOT return a record EVEN THOUGH my own DNS server
seems to have your TXT in cache when I leave off the specific
DNS server (using it's own non-authoritative cache) -- this is odd
since I cannot get the correct results from ANY of the authoritative
servers directly but seem to have it in cache from SOMEWHERE,
so my working assumption is that we have some kind of weird
intermittent error... (keep reading...)

Also: http://www.dnsreport.com/ gives a (total) failure for this
zone (dk.iconix.com) and there are problems in querying the parent,
i.e., iconix.com for ns (or txt records) for this zone.

Checking the parent, iconix.com, at http://www.dnsreport.com/ reveals
stealth (missing, unreachable) DNS servers which is a more serious
problem and LIKELY ACCOUNTS for the intermittent failures:

(stealth DNS servers for iconix.com):
ns04.savvis.net.
ns01.savvis.net.
ns02.savvis.net.

Rechecking dk.iconix.com then shows the zone at DNSReport which is
likely due to having loaded all of the iconix nameservers (including the
one working/reachable server) into cache there, but then gives "Glue"
warnings -- which means that not all of your nameservers for the child
(dk) are listed in the parent zone, and claims that at least one of the
child DNS servers are stealth as well (i.e., ns3.dnspark.net. which is:
66.98.161.195)

I would suggest fixing the DNS problems at BOTH iconix.com and
dk.iconix.com before worrying further about the SPF, then when you
have that all working retest the Hotmail and other SPF checks.