[Mailman-Users] SPF MAIL FROM check failed: [MAIL_FROM]

[Bill Cole]

On 9 May 2012, at 20:32, David wrote:

> On Wed, May 9, 2012 at 4:01 PM, David <dave at fiteyes.com> wrote:
>> Re: Giving away the secrets of 99.3% email delivery
>>
>> 1. Constantly monitor spam blacklists. We have a set of Nagios alerts
> that regularly check if we’re listed on any delivery blacklists, and
> whenever they go off we take whatever corrective action we need to get 
> back
> off the blacklist.
>> 2. Have valid SPF records. Don’t impersonate your users. When 
>> running a
> web app like Basecamp, which sends email that are generated by another
> user, it can be tempting to send the email from that user (e.g., so 
> that a
> comment I wrote on Basecamp would appear to come from noah at 
> 37signals dot
> com), which might make people feel more comfortable. Unfortunately, 
> this is
> a surefire way to end up on spam lists, since you’ll likely be 
> sending from
> an IP address that does not have the valid SPF records. And chances 
> are, if
> the user’s domain does have an SPF record, it doesn’t include your
> application’s IP.
>> 3. Sign the mail! DKIM and Domain Keys. Yahoo and Gmail both score 
>> signed
> email higher.
>> 4. Dedicated and conditioned email sending IPs.
>> 5. Configure reverse dns entries. Most of the “big boys” won’t 
>> accept
> mail from your servers if your reverse dns entries don’t match. You 
> might
> need your IP provider to help with setting up these records.
>> 6. Enroll in feedback loops. We haven’t automated our parsing of
> feedback, but a daily / weekly review of feedback loop emails helps us 
> know
> when there’s an unhappy user, or other problem. Too many complaints 
> and
> you’ve got trouble.

Something about how you are composing mail is resulting in an ugly mess 
on the receiving side, with your quoting completely broken. See above as 
an example. Perhaps sending as HTML and having it whacked by Mailman...


> I started by setting up an SPF record (#2 on the list above). However,
> shortly after setting it up, we got a bounce with this reason:
>
> SPF MAIL FROM check failed:  [MAIL_FROM]
>
> I searched a bit and came across things like this:
> http://comments.gmane.org/gmane.org.user-groups.linux.new-zealand.general/34245
> But nothing I found answered my questions.
>
> Looking at the headers of the bounced message, I note:
>
> Received-SPF: pass (domain of lists.example.com designates 10.10.10.99 
> as
> permitted sender)
> X-Originating-IP: [10.10.10.99]
>
> That would seem to indicate things are OK, but maybe X-Originating-IP 
> isn't
> the line I need to be looking at... I'm not sure what [MAIL_FROM] (in 
> the
> SPF check failed line) matches in the email header.

This is probably running off the topical edge of the Mailman-Users list, 
but I'll be brief.

Before publishing an SPF record, you should understand what SPF is and 
how it works. If you don't understand it, don't try to use it.

SPF is a weak but sometimes useful mechanism that allows a SMTP server 
to check whether a given SMTP envelope sender address (a.k.a. 
"Return-Path" or "MAIL_FROM" or "bounce address") should be trusted as 
valid when given by the particular IP address of an SMTP client, using 
DNS records. In most cases it is only applied to the domain part of an 
address.

There's not much else to say about your specific problem, since you seem 
to have obfuscated everything of significance about the specific message 
with a problem. For example, and most importantly, "lists.example.com" 
is bogus.

The SPF coherency to check is between the outbound IP address of 
whatever machine (at Yahoo??? ugh.) generated that bounce and the domain 
you've obfuscated as lists.example.com. Your SPF record(s) need to the 
reality of where mail systems to whom you are not known will be 
receiving your mail from, not the original source of your mail. So if 
you have made the inexplicable decision to route your mail out via 
Yahoo, you need to consult with Yahoo about how to set up your SPF 
record(s).

> Also, I note:
>
> X-YahooFilteredBulk: 10.10.10.99 <-- what does "X-YahooFilteredBulk" 
> mean?

Ask Yahoo. Any email header that starts with "X-" is non-standard and 
could mean anything or nothing.