spf/sender id and hotmail

Discussion in 'DNS Server' started by Eric L, Aug 23, 2005.

  1. Eric L

    Eric L Guest

    Hi,

    I have spf records created and validated from every test tool/provider I can
    find (i.e. Gmail, Return-Path, etc.). All pass except for hotmail. Any email
    I send to hotmail fails spf/sender id validation and has the following
    appended to the header:

    X-Message-Status: n
    X-SID-PRA: Eric <sender's email address>
    X-SID-Result: TempError

    Gmail on the other hand shows as:

    Received-SPF: pass (gmail.com: domain of <email address> designates <ip
    address of mail server> as permitted sender)

    I'm struggling to find the issue. Any help would be greatly appreciated.

    -Eric
     
    Eric L, Aug 23, 2005
    #1
    1. Advertisements

  2. Eric L

    Herb Martin Guest

    I have spf records created and validated from every test tool/provider I
    can
    This one seems to be the defacto canonical tester...

    http://www.kitterman.com/spf/validate.html

    (Yes, I know it has no official standing but this is the one the folks on
    the seem to rely on as the final arbitrator.
    If you can find a true error in the tester I believe they will listen and
    fix it.)

    Also you might join that list as there are some very SPF-smart people
    who will help you.
    It was pretty silly to remove your email address if you want help since
    we cannot check it.

    We also need the SMTP server name and address.
    Different servers validate to different levels of strictness or correctness.
    Post the record and the other info if you wish help. Or do so on the SPF
    discuss list.
     
    Herb Martin, Aug 24, 2005
    #2
    1. Advertisements

  3. Eric L

    Eric L Guest

    Hi Herb,

    Very valid points. Here is a complete message that does not validate through
    hotmail's web site. The mail server is mail.dk.iconix.com (66.80.15.197)

    -Eric

    X-Message-Status: n
    X-SID-PRA: Eric <>
    X-SID-Result: TempError
    X-Message-Info: JGTYoYF78jHg2VPRDK75XDEWq4wQbCUJAFw2NDIoxHw=
    Received: from dk.iconix.com ([66.80.15.197]) by mc1-f34.hotmail.com with
    Microsoft SMTPSVC(6.0.3790.211);
    Tue, 23 Aug 2005 20:23:40 -0700
    DKIM-Signature: a=rsa-sha1; c=nowsp; d=dk.iconix.com; s=dk1024;
    t=1124853820; x=1125458620; i=; q=dns;
    h=DomainKey-Signature:
    Received:Received:Date:From:To:Subject:MIME-Version:Content-Type:
    Message-ID; b=lag1YZBlMjJD9V5ibNFZCctII/UZDDyohoIrlXuQHsI/qGiacTA
    NEwlPaOlVeH+6mPgIZKJokHvdaSO0XEbkSE3L1vM4rJN3t2UCvlP4Ra63JqlC9I0
    cNXx/Mn4dZ5etdBYeuHwbwfT4x5et+XtSsaTq0PWxLOcyZfqgvsU1bnQ=
    DomainKey-Signature: a=rsa-sha1; s=dk1024; d=dk.iconix.com;
    c=simple; q=dns; h=from:message-id;
    b=JneLp3xaXCzMZey5G9HL3Z8rxXd8fKqMmsUPrl9OBHVrct+fkPNyHgwwQHrP24am4nAwbVbXFaAQ0rqfcJZfvBxzZ2kQwRYN85W84o4XkUc0ECWaEY29zqtAYe4S9lNTVXwJ9vUR+WIciqDBrQfD3O1LqRNVpJdOpsadxGCFxS8=;
    Received: from WorldClient by dk.iconix.com
    (MDaemon.PRO.v8.1.1.R)
    with ESMTP id md50000000472.msg
    for <>; Tue, 23 Aug 2005 20:23:38 -0700
    Received: from [69.107.134.142] via WorldClient with HTTP;
    Tue, 23 Aug 2005 20:23:36 -0700
    Date: Tue, 23 Aug 2005 20:23:36 -0700
    From: "Eric" <>
    To:
    Subject: testing from dk
    MIME-Version: 1.0
    Content-Type: multipart/alternative; boundary="_0823-2023-36-PART-BREAK"
    Message-ID: <>
    X-Mailer: WorldClient 8.1.1
    X-Authenticated-Sender:
    X-Spam-Processed: mail.dk.iconix.com, Tue, 23 Aug 2005 20:23:38 -0700
    (not processed: message from valid local sender)
    X-Return-Path:
    X-MDaemon-Deliver-To:
    Return-Path:
    X-OriginalArrivalTime: 24 Aug 2005 03:23:41.0040 (UTC)
    FILETIME=[39847700:01C5A85B]

    --_0823-2023-36-PART-BREAK
    Content-Type: text/plain

    testing

    --_0823-2023-36-PART-BREAK
    Content-Type: text/html

    <HTML><BODY>
    <DIV style="FONT-SIZE: 10pt; FONT-FAMILY: tahoma; BACKGROUND-COLOR: white">
    testing</DIV>
    </BODY></HTML>

    --_0823-2023-36-PART-BREAK--
     
    Eric L, Aug 24, 2005
    #3
  4. Eric L

    Herb Martin Guest


    SPF checker on http://www.kitterman.com/spf/validate.html
    validates 66.80.15.197 as legitimate source of email from


    So returning to the Hotmail results (full results might help
    more here too):

    X-Message-Status: n
    X-SID-PRA: Eric <sender's email address>
    X-SID-Result: TempError

    We might wonder if Hotmail is messed up, especially on a
    temporary error which is usually (as I understand it) due to
    DNS lookup failures (not finding server rather than record
    missing or wrong) and such things which will cause an
    unverifiable result which MAY be valid later but first we
    should check YOUR DNS for correctness:

    Doing NSLookup for:

    nslookup -q=ns dk.iconix.com

    ....gives:
    ns1.dnspark.net internet address = 69.44.153.5
    ns2.dnspark.net internet address = 81.29.64.97
    ns3.dnspark.net internet address = 66.98.161.195

    And these servers don't seem able to return a TXT record for
    the zone dk.iconix.com EVEN THOUGH the SPF checker seems
    to have found it.

    nslookup -q=txt dk.iconix.com 66.98.161.195
    (or when specifying either of your other DNS servers:
    81.29.64.97 and 69.44.153.5)

    ....does NOT return a record EVEN THOUGH my own DNS server
    seems to have your TXT in cache when I leave off the specific
    DNS server (using it's own non-authoritative cache) -- this is odd
    since I cannot get the correct results from ANY of the authoritative
    servers directly but seem to have it in cache from SOMEWHERE,
    so my working assumption is that we have some kind of weird
    intermittent error... (keep reading...)

    Also: http://www.dnsreport.com/ gives a (total) failure for this
    zone (dk.iconix.com) and there are problems in querying the parent,
    i.e., iconix.com for ns (or txt records) for this zone.

    Checking the parent, iconix.com, at http://www.dnsreport.com/ reveals
    stealth (missing, unreachable) DNS servers which is a more serious
    problem and LIKELY ACCOUNTS for the intermittent failures:

    (stealth DNS servers for iconix.com):
    ns04.savvis.net.
    ns01.savvis.net.
    ns02.savvis.net.

    Rechecking dk.iconix.com then shows the zone at DNSReport which is
    likely due to having loaded all of the iconix nameservers (including the
    one working/reachable server) into cache there, but then gives "Glue"
    warnings -- which means that not all of your nameservers for the child
    (dk) are listed in the parent zone, and claims that at least one of the
    child DNS servers are stealth as well (i.e., ns3.dnspark.net. which is:
    66.98.161.195)

    I would suggest fixing the DNS problems at BOTH iconix.com and
    dk.iconix.com before worrying further about the SPF, then when you
    have that all working retest the Hotmail and other SPF checks.
     
    Herb Martin, Aug 24, 2005
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.