Tag Archives: SPF

02 Dec

Messed up SPF record of mtsindia.in domain

Yesterday I called MTS Data Card support but their IVRS system was failing in giving me my balance details. Eventually I decided to email their support and glad to say support email was also easily available on their website.

 

Today I saw acknowledgement mail in spam. No big deal but I usually dig around genuine mails which go in spam to find exact cause. In this case I found mail was sent to me from  customercare.del@mtsindia.in and the server which relayed this mail was:

121.242.69.80 with rDNS pointer - mtsndmx1.mtsindia.in.

From email headers only one can tell main failure in mail:Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning customercare.del@mtsindia.in does not designate 121.242.69.80 as permitted sender) smtp.mail=customercare.del@mtsindia.in  Thus clearly SPF failure. How?

 

Quick check on TXT record on root domain:

“v=spf1 a mx include:elabs5.com ~all” “v=spf1 ip4:208.43.252.104 ip4:208.43.252.105 ip4:208.43.252.106 ip4:208.43.252.107 ip4:173.192.233.178/28 ip4:173.193.227.227/27 ~all”

 

Here’s what’s wrong:

  1. Two v=spf1 in SPF isn’t really good. Very likely most of systems will hit for TXT record and will get any on random and eventually use it ignoring whitelisted IP’s in other completely.
  2. MTS missed to include 121.242.69.80 the server which is placed on Tata Communications backbone in SPF record. Most of other IP’s mentioned in their SPF belong to Softlayer datacenter.
Hope someone from MTS will find this post and eventually work on fix! 🙂
05 Aug

More about SPF records

Hello all!

Few days back I visited Official Google Apps forum (one of my favorite places 🙂 ) and answered many questions. It was quite after some time i was there and found few cases/questions/problems as really interesting.
Here’s one of the questions asked there by a admin named aol985 about SPF records.

Question image

His question –

As described in http://www.google.com/support/a/bin/answer.py?hl=en&answer=33786 , I set SPF record for mashfilm.ru domain to “v=spf1 include:aspmx.googlemail.com ~all”. But aspmx.googlemail.com currently does not resolves. Is it correct?

Nice one!
He is right on fact that aspmx.googlemail.com does NOT resolve. Ok why?

anurag@root]$ dig aspmx.googlemail.com a
; <<>> DiG 9.3.4-P1.1 <<>> aspmx.googlemail.com a
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42050
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;aspmx.googlemail.com.          IN      A
;; Query time: 100 msec
;; SERVER: 66.33.216.208#53(66.33.216.208)
;; WHEN: Wed Aug  5 02:48:00 2009
;; MSG SIZE  rcvd: 38
[anurag@root]$

Thus no A record which means it won’t resolve, BUT one must remember that a zone can have many records working side by side offering their own feature, like – MX records can be there with/without A, same with txt records, and few other also.

Got it

Now observing the spf record by Google – “v=spf1 include:aspmx.googlemail.com ~all”
here include:aspmx.googlemail.com
means to include the spf record of aspmx.googlemail.com which makes sense as:

[anurag@root]$ dig aspmx.googlemail.com txt
; <<>> DiG 9.3.4-P1.1 <<>> aspmx.googlemail.com txt
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30134
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;aspmx.googlemail.com.          IN      TXT
;; ANSWER SECTION:
aspmx.googlemail.com.   7178    IN      TXT     "v=spf1 redirect=_spf.google.com"
;; Query time: 14 msec
;; SERVER: 66.33.216.208#53(66.33.216.208)
;; WHEN: Wed Aug  5 02:54:02 2009
;; MSG SIZE  rcvd: 82
[anurag@root]$

Now it means spf record for aspmx.googlemail.com is “v=spf1 redirect=_spf.google.com”
Now trying to understand _spf.google.com
underscore right in start makes it different from a sub-zone since it can’t be used as a domain but will still remain a working sub zone in terms of DNS.
So now since it can’t be used as a  sub domain i.e which can be used to be attached with web server and can supply pages via ftp, there is no meaning of A record for it here.
Checking txt string of _spf.google.com

[anurag@root]$ dig _spf.google.com txt
; <<>> DiG 9.3.4-P1.1 <<>> _spf.google.com txt
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52983
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;_spf.google.com.               IN      TXT
;; ANSWER SECTION:
_spf.google.com.        300     IN      TXT     "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ?all"
;; Query time: 29 msec
;; SERVER: 66.33.216.208#53(66.33.216.208)
;; WHEN: Wed Aug  5 02:57:26 2009
;; MSG SIZE  rcvd: 229
[anurag@root]$

And here we got it!

So much information in just one hostname!

so much
“v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ?all” is a part of SPF record which Google makes its Google Apps users to use.
Thus using
“v=spf1 include:aspmx.googlemail.com ~all” in spf tells that “this domain allows all of the server on this ip range – ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 as authorized to send email on behalf of that domain.
bye
So that’s how spf works in this case. 🙂
[ratings]