scott at kitterman
Oct 27, 2006, 8:32 AM
Post #8 of 8
On Thursday 26 October 2006 23:03, Mark Wolk wrote:
Re: SPF prevents mail from being delivered to Hotmail
[In reply to]
> In the Hotmail saga, here is my latest discovery.
> As we all know, Hotmail receives email very unreliably. Many
> legitimate mails end up in the junk mail folder, many others simply
> Mail to Hotmail seemed to work better depending on providers used.
> I.e. mails from my domains sent though ControlledMail would arrive
> into Hotmail's inbox perfectly; whereas the same mails sent through
> Tuffmail would end up in Hotmail's junk mail folder.
I don't know anything about the other providers that you use, so I can't
directly comment, but I can add some background here...
With controlledmail.com, I produce RFC compliant mail with good
forward/reverse DNS, etc. Additionally, the service is a boutique service.
I screen customers more closely that most anyone else does and am careful
about who I am willing to let send the my MTAs. This keeps the revenue curve
rather flatter than I would prefer in the short term, but will eventually, I
think, pay off. As a result, I am virtually certain the the number of
messages that could reasonably be classified as spam coming out of my MTAs is
zero (unreasonable classification I can't prevent).
So, I thinking that Hotmail may be applying some sort of additional reputation
checks to SID compliant mail that is causing less careful provider's mail to
get dumped (I'm basically agreeing with Alex on this). They do have a
service that your provider can use to see what 'spam' Hotmail have gotten
from the provider's IP range. I've signed up for it, but it has yet to show
me any data. Perhaps the other provider can find out some specifics that way
and help clear this up.
> As an experiment, I have totally removed the SPF record of one of my
> domains, guidedvacation.com. I waited ca 2 weeks (knowing that
> Hotmails caches SPF records). And here is my experiment of today:
> - mail from guidedvacation.com sent through Tuffmail arrives perfectly
> in Hotmail's inbox
> - mail from any other of my domains, that still have an SPF record,
> sent through Tuffmail arrives in Hotmail's junk mail folder
I think this is consistent with the extra reputation checks theory I suggested
> In other terms having an SPF record is harmful if you want to send
> mail to Hotmail. Removing the SPF record will improve reliability of
> email delivery to Hotmail.
I'd put it slightly differently, it seems to me that this is true only for
some senders, otherwise the traffic you send through my service would be
equally unreliable. The risk is SPF plus some other unknown factor.
> SPF also seems to be useless with joejob prevention. Spammers use my
> SPF-protected domains more and more to send their spam. I receive
> thousands of returned mails which I have never sent before, and I have
> constantly to increase my filters so they don't flood my inbox. So SPF
> does not seem to do the job it was designed to, and I wonder, at the
> end, what is its use now?
One of the things with spam is that it seems to me that there are a relatively
few number of spammers doing most of this kind of stuff. At this point, SPF
is still a young technology and the preventative effect is mostly as a
deterrent. Frank and I (and others) have had the 'fortune' to have been
plagued by spammers that were deterred from forging our domains at the
current level of deployment. Clearly your spammer is less concerned.
I have seen, in the last 6 - 9 months, a significant upswing in the number of
questions we get about how to deploy SPF checking. I believe that as the
rejection rate due to SPF increases and forging SPF domains begins to have a
larger effect on deliverability, more spammers will be deterred, so I would
council patience wrt SPF. I you want, contact me offlist and we can see if I
can do anything to help you through other means in the meantime.
On Friday 27 October 2006 01:48, Steve Yates <steve [at] teamits> wrote:
> Mark Wolk <mailto:markwolk [at] gmail> wrote on Thursday, October 26,
> Did you also set up a Sender ID record for this domain and test
> with that? Is there an SPF record set up for the HELO greeting of the
> outgoing (Tuffmail ?) mail server?
Since Mark is a customer of mine, I've reviewed his SPF records in detail and
they do not have any of the usual problems that would trip up Hotmail or SID.
For his use case the v=spf1 records should be adequate.
I checked one of the Tuffmail outbound servers and it does have an SPF record
On Friday 27 October 2006 05:51, Mark Wolk wrote:
> You wrote: *****If you followed the tuffmail advice with "~all"
> (SOFTFAIL) at the end of your policies don't expect too much, that's
> mainly for testing.*****
> The thousands of returned junk mails I mentioned had been sent by
> spammers from domains of mine that have "v=spf1 -all", i.e. which
> should never send any email at all.
Which is confirmation that your spammer is not yet intimidated by SPF.
> I am still reluctant in using "-all" on my domains which are
> authorised to send mail, as some incorrectly configured recipients
> reject them.
That is not an unreasonable concern, but my experience has been that this is a
noise level issue. I've had -all records for over two years and have had a
total of 4 e-mails rejected in that time. Here are the root causes:
1 - My ISP at the time was adding an SPF-Received header to outgoing mail and
one receiver incorrectly rejected on that (the mails were all going out with
Fail in the header because of course my client IP address wasn't in my SPF
record). So that one took two errors.
1 - One receiver had incorrectly enabled SPF checking on an internal server.
What happened was that the server used to be a border MTA, but then due to a
merger was no longer on the border for the larger company and it wasn't
2 - Actualy forwarding related rejections. One of my consulting customers got
spun off to a new company. The old company set up mail forwarding from the
old addresses to the new addresses and the new company checked SPF. I had
two messages rejected and since the new e-mail address was in the rejection
message it took all of a minute to resend the messages to the correct
So, in my experience the risk is pretty low. Most people I've heard from have
had similar experiences. Since you have multiple domains, you might try it
with one or two and see how it goes.
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=cbdbbc81