02 Dec

Messed up SPF record of mtsindia.in domain

Yesterday I called MTS Data Card support but their IVRS system was failing in giving me my balance details. Eventually I decided to email their support and glad to say support email was also easily available on their website.


Today I saw acknowledgement mail in spam. No big deal but I usually dig around genuine mails which go in spam to find exact cause. In this case I found mail was sent to me from  customercare.del@mtsindia.in and the server which relayed this mail was:

From email headers only one can tell main failure in mail:Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning customercare.del@mtsindia.in does not designate as permitted sender) smtp.mail=customercare.del@mtsindia.in  Thus clearly SPF failure. How?


Quick check on TXT record on root domain:

“v=spf1 a mx include:elabs5.com ~all” “v=spf1 ip4: ip4: ip4: ip4: ip4: ip4: ~all”


Here’s what’s wrong:

  1. Two v=spf1 in SPF isn’t really good. Very likely most of systems will hit for TXT record and will get any on random and eventually use it ignoring whitelisted IP’s in other completely.
  2. MTS missed to include the server which is placed on Tata Communications backbone in SPF record. Most of other IP’s mentioned in their SPF belong to Softlayer datacenter.
Hope someone from MTS will find this post and eventually work on fix! 🙂
05 Aug

More about SPF records

Hello all!

Few days back I visited Official Google Apps forum (one of my favorite places 🙂 ) and answered many questions. It was quite after some time i was there and found few cases/questions/problems as really interesting.

Here’s one of the questions asked there by a admin named aol985 about SPF records.

Question image

His question –

As described in http://www.google.com/support/a/bin/answer.py?hl=en&answer=33786 , I set SPF record for mashfilm.ru domain to “v=spf1 include:aspmx.googlemail.com ~all”. But aspmx.googlemail.com currently does not resolves. Is it correct?

Nice one!

He is right on fact that aspmx.googlemail.com does NOT resolve. Ok why?

Thus no A record which means it won’t resolve, BUT one must remember that a zone can have many records working side by side offering their own feature, like – MX records can be there with/without A, same with txt records, and few other also.

Got it

Now observing the spf record by Google – “v=spf1 include:aspmx.googlemail.com ~all”

here include:aspmx.googlemail.com

means to include the spf record of aspmx.googlemail.com which makes sense as:

Now it means spf record for aspmx.googlemail.com is “v=spf1 redirect=_spf.google.com”

Now trying to understand _spf.google.com

underscore right in start makes it different from a sub-zone since it can’t be used as a domain but will still remain a working sub zone in terms of DNS.

So now since it can’t be used as a  sub domain i.e which can be used to be attached with web server and can supply pages via ftp, there is no meaning of A record for it here.

Checking txt string of _spf.google.com

And here we got it!

So much information in just one hostname!

so much

“v=spf1 ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: ?all” is a part of SPF record which Google makes its Google Apps users to use.

Thus using

“v=spf1 include:aspmx.googlemail.com ~all” in spf tells that “this domain allows all of the server on this ip range – ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: as authorized to send email on behalf of that domain.


So that’s how spf works in this case. 🙂