0

OK, so, i'm only so familiar with how the SPF system works, and my domain is being used to send all kinds of spam. Here is my current spf record:

v=spf1 ip4:web.host.ip ip4:108.60.203.190 +a +mx +ip4:108.60.195.8 +domain1.com +domain2.com +ip4:my.ip.address include:outlook.com include:spf.messaging.microsoft.com ~all

This is what I want to accomplish: we have two domain names (domain1.com and domain2.com) that both point at our internal mail server (which i replaced with my.ip.address in the spf record - we have a static IP). We also have a website that sends out emails periodically, and I have their IP address in it (which is the web.host.ip).

Our domain names both have two subdomains (sendmail and sendmail2) that are listed as the only MX records for each domain (So the MX flag there should only see sendmail.domain1.com and sendmail2.domain1.com) - there are no other MX records set up for each domain.

To be completely transparent, i'm not entirely sure what IP addresses 108.60.195.8 and 108.60.203.190 are - I thought they were related to outlook (We had previously tried to setup Office 365 through our domain, but Microsoft wouldn't support it - hence the references to Microsoft). I have no problem removing them - I am only hesitating, in case it's something I don't understand (It may also be related to our web host - i'm going to check with them prior to removing them).

and to be clear - we have no ties whatsoever to microsoft, outlook, or anything of that sort - our mail is 100% internal. SO any references to outlook or microsoft's messaging domain can be removed. I just haven't yet. :(

Here's my issue - An external server (58.187.234.14) has been sending the spam using my domain, and my SPF record allows it (verified with this tool - http://vamsoft.com/support/tools/spf-policy-tester - and examining the headers of a spam email I received from myself (SID:SenderIDStatus PermError;TIME:TimeBasedFeatures;OrigIP:58.187.234.14)

What do I need to change about my SPF to deny that request?

Tero Kilkanen
  • 36,796
  • 3
  • 41
  • 63
Jon Eagleson
  • 15
  • 4
  • And if the answer is 'The SPF record has nothing to do with preventing this', that's fine. I am just under the impression that the issue is 'Another IP address is sending as my domain and email address, and my SPF record is saying ' hey, sure, go ahead'.' – Jon Eagleson Apr 10 '15 at 13:16

1 Answers1

3

SPF specifies that at most only 10 DNS resolutions should be made. So your SPF looks invalid. Remove extraneous portions - particularly that "include" - and test again. Many tools will give an SPF: pass (or SPF: none) when you have an invalid SPF record.

Jon G - Megaphone Tech
  • 307
  • 1
  • 7
  • Had no idea that was a requirement! Going to mark as correct, given that simply removing the includes a) reduced the amount of domain checks my tool was having to make (that, apparently, was the source of the pass based on invalid SPF) and b) changed the result in my tool from a pass based on invalid SPF to a softfail, and denied that IP from sending. Going to have to see if my spam count reduces, but you were very helpful none-the-less. – Jon Eagleson Apr 10 '15 at 16:01
  • Glad to hear it! I was answering from a phone, so I gave a condensed answer; I just edited the answer to explain why I thought it would fix your problem. – Jon G - Megaphone Tech Apr 10 '15 at 17:04
  • Still having spam send out - getting email from myself! In case you're curious - seems IP addresses outside of the range I specified were still passing in the real world (but not in any tools I ran) due to the soft fail on the end - I changed it to a hard fail, we'll see how it does. – Jon Eagleson Apr 13 '15 at 12:20
  • Sorry, not passing - but spam is being 'discouraged' instead of 'thrown into a fire'. lol – Jon Eagleson Apr 13 '15 at 12:46