Using SPF or not and when how

2 minute read

I already wrote about sender policy framework (SPF) in two posts recently, but I feel that it might helpful to write some more about it and the flaws one can find or maybe some nice sites as well. We’ll see…

First of all you should start reading about SPF on the SPF-site and you shouldn’t miss the articles on Wikipedia. So if you’re generally informed about the pros and cons you can start to think about it. Besides that some of the major free-mail provider (e.g. Hotmail, GMail) are using SPF and you can get into trouble if you don’t.

I figured that out myself when I created an email address that simply forwards mail to a Hotmail-Account. You get a bounce with the well know error message.

Diagnostic-Code: X-Postfix; host mx4.hotmail.com[65.54.245.104] said:
550 SC-001 Mail rejected by Windows Live Hotmail for policy reasons. 
Reasons for rejection may be related to content with spam-like characteristics or
IP/domain reputation problems. If you are not an email/network admin please
contact your E-mail/Internet Service Provider for help. Email/network
admins, please visit http://postmaster.live.com for email delivery
information and support (in reply to MAIL FROM command)

So I started to investigate this problem a bit and started to look at the Postmaster site at Hotmail. I found it hard to find the right information there so I started to look at the SPF-Homepage and used the SPF wizard there.

I got the follwing very basic entry to add as an TXT-record to my domain:

v=spf1 a mx ~all

This means according to the SPF Record syntax that:

  • all A records of the current domain are tested
  • all A records for all the MX records for domain are tested
  • SoftFail for all other (means that the sender should be accepted, but marked

This setup works out fine for me now.

Recently I found theMicrosoft Wizard for Sender ID a different approach from Microsoft. If you use this wizard I get a slightly different result:

v=spf1 a mx mx:maildefer.schnuckelig.eu mx:mailspool.schnuckelig.eu ~all

So what is the difference if any? As far as I can tell there is no difference for my domain, but you can add additional server with this syntax. mx.maildefer.schnuckelig.eu means that all A-records of the domain maildefer.schnuckelig.eu will be tested as well. Which are in turn the same as the A-records of all MX-records.

If you want to make the safe bet and do it the easy way simply add the following record:

v=spf1 +all

My examples are probably not the best ones and this is far from complete, but may give you some help to deal with the Hotmail-SPF-problem.

Noteworthy mentioning is that my provider allows you to change you TXT-records yourself.