1

This is my current SPF record. It works well with gmail and yahoo but hotmail was ignoring. So i used their submit system and now they replied me with the text below.

This is my current spf

v=spf1 a mx ptr ~all

enter image description here

Now this is hotmail message

We have successfully added your domain to the Sender ID program. This may take up to 2 business days to be fully replicated in our systems. If you have any questions regarding this please let me know.

We reviewed your SPF record and note that it includes the "ptr" or reverse DNS lookup mechanism. The specification for SPF records (RFC 4408) discourages use of "ptr" for performance and reliability reasons. This is especially important for Windows Live Mail, Hotmail and other large ISPs as a result of the very high volume of mail we receive each day. We highly recommend you remove the "ptr" mechanism from your SPF record and, if necessary, replace it with other SPF mechanisms that do not require a reverse DNS lookup, such as "a", "mx", "ip4" and "include." This will help ensure that Sender ID validation is performed as accurately as possible, maximizing your email deliverability while protecting your domain from spoofing.

So my question is simple. What is the corrected way of it to make it as hotmail wants. Thank you.

Hotmail received email from my server headers

Authentication-Results: hotmail.com; 
sender-id=temperror (sender IP is 85.17.154.139) 
header.from=noreply@monstermmorpg.com; 
dkim=pass 
header.d=monstermmorpg.com; 
x-hmca=pass
X-Message-Status: n:0:n
X-SID-PRA: MonsterMMORPG <noreply@monstermmorpg.com>
Furkan Gözükara
  • 556
  • 2
  • 10
  • 27
  • The exact answer will depend on why the `ptr` is in there. If it was added for no particular reason, it can just be removed. It was added for a particular reason, some other way to do whatever made it required will be needed. – David Schwartz Mar 12 '12 at 03:19
  • 1
    David and Sysadmin1138 are both correct, but it's worth noting that the "~" before all means "soft" fail all others. It's a cop-out for people who haven't put the time in to maintaining their SFP record and some servers will hold that against you (like all of the ones I control). The "correct" version should have "-all". – Chris S Mar 12 '12 at 04:06
  • You're asking what the correct method is and it seems to me they told you ..."We highly recommend you remove the "ptr" mechanism from your SPF record and, if necessary, replace it with other SPF mechanisms that do not require a reverse DNS lookup, such as "a", "mx", "ip4" and "include."" So just remove ptr like they recommend. – Jim B Mar 12 '12 at 04:55
  • Chris S so can you tell me the corrected one of it ? – Furkan Gözükara Mar 12 '12 at 13:23
  • @MonsterMMORPG Edited my previous comment. Thanks for pointing that out. – Chris S Mar 12 '12 at 14:47
  • @Chris S Thanks a lot of reply. So the latest version is v=spf1 a mx -all – Furkan Gözükara Mar 12 '12 at 23:28

3 Answers3

6

In your case, the same string you're using minus the ptr should do the trick.

v=spf1 a mx ~all
sysadmin1138
  • 133,124
  • 18
  • 176
  • 300
  • Thank you for answer. Actually i only need spf for verifying my noreply.monstermmorpg.com . Should i modify spf to better version instead of all ? though i am the only one who sends email via my domain. If i should modify how can i do it ? – Furkan Gözükara Mar 12 '12 at 13:22
  • added also hotmail received email from my server headers to the main post. So how should i modify spf record and make it best possible way like Chris S suggested ? – Furkan Gözükara Mar 12 '12 at 13:27
3

The first question you need to ask yourself is, "From how many domains am I sending email from?".

In this case, you are only sending email from one domain, namely monstermmorpg.com. The "@" in your screenshot refers to the ORIGIN, which is the domain that your zone file covers (presumably also monstermmorpg.com). The next question you ask is, "Do the A/MX/etc. records associated with the name that your TXT SPF record is pointing to point to the IP that sends mail?" For example, let's say your DNS zone looks like this...

$ORIGIN monstermmorpg.com.
 ... 
monstermmorpg.com. A      85.17.154.139       ; this points directly to an IP, and will be the final destination in the DNS lookup chain
www                CNAME  monstermmorpg.com.  ; www.monstermmorpg.com will look up the A/CNAME record for monstermmorpg.com
mail               MX     monstermmorpg.com.  ; mail.monstermmorpg.com points to and will look up monstermmorpg.com
@                  MX     monstermmorpg.com.  ; email looking for monstermmorpg.com will look up the A/CNAME record for monstermmorpg.com
@                  TXT    "v=spf1 a mx ptr ~all"

In this case, if 85.17.154.139 is the public IP for the server that sends mail, you can change your SPF record to this...

"v=spf1 a -all"

This means that it takes the A record that corresponds with the TXT record and checks to see if it matches the IP in the emails supposedly sent from your domain. If it's a match, awesome! It goes through. If it doesn't match, it means some spammer is masquerading as your domain, and it will be dropped. You don't need to put redundant A and MX references in the SPF record if there's only one server sending mail, and both records ultimately point to the same IP. Another (more efficient, because it doesn't require a DNS lookup) option is as follows...

"v=spf1 ip4:85.17.154.139 -all"

If your mail server IP rarely changes, this may be a good solution. It's also much easier to understand from your (the admin's) perspective.

The hard -all is preferred over the soft ~all because some mail servers like to be 100% certain that the mail is really coming from you.

Bigbio2002
  • 2,823
  • 12
  • 35
  • 54
  • He's got multiple servers, at least one of which is on a hosted plan where the IP can change; it's a fair amount more complicated than this. But this is good advice in general. – Chris S Mar 14 '12 at 18:10
  • Thanks a lot for detailed reply. This is my latest spf what do you think ? : v=spf1 a mx include:secureserver.net -all – Furkan Gözükara Mar 15 '12 at 19:40
  • Is the IP address of secureserver.net one of the places where mail ending in @monstermmorpg.com originates from? If not, you can leave the include: part out. Also, if both the A and MX records point to the same IP, you can just use one or the other. There's no harm in having duplicates or extras if you're unsure though; as it stands, it's technically correct. – Bigbio2002 Mar 16 '12 at 18:05
1

if you're not familiar with creating spf records i'd recommend a tool that does it for you based on a series of questions. for example, http://unlocktheinbox.com/spfwizard.aspx

justintoxicated
  • 11
  • 1