1. Forum
  2. Usenet
  3. COMP.MISC

  • Gmail and SPF

    From Chris J Dixon@21:1/5 to All on Sat Oct 12 10:20:38 2024
    XPost: alt.usenet.offline-reader.forte-agent

    I use Forte Agent to send email, via Virgin's mail servers, with
    replies forwarded via my own domain email address.

    I have set up the Gmail app password, which has been working
    fine, but am now getting bounce messages like this:

    Action: failed
    Final-Recipient: xxxxxxxxxxxxxxxx
    Status: 5.0.0
    Remote-MTA: dns; gmail-smtp-in.l.google.com
    Diagnostic-Code: smtp; 550-5.7.26 Your email has been blocked because the sender is unauthenticated.
    550-5.7.26 Gmail requires all senders to authenticate with either SPF or DKIM.
    550-5.7.26
    550-5.7.26 Authentication results:
    550-5.7.26 DKIM = did not pass
    550-5.7.26 SPF [cdixon.me.uk] with ip: [84.116.50.34] = did not pass 550-5.7.26
    550-5.7.26 For instructions on setting up authentication, go to
    550 5.7.26 https://support.google.com/mail/answer/81126#authentication ffacd0b85a97d-37d4b989e98si2592841f8f.501 - gsmtp

    The IP address varies in different messages, all allocated by
    Virgin's mail server, and clearly not unique to me.

    I have read the various pages of instructions, including one on
    my host: <https://www.heartinternet.uk/support/article/how-do-i-add-spf-records-to-my-site.html>

    but find myself totally unable to understand exactly what to do.
    It also seems like trial and error is not a good way to go, if I
    correctly understand that updated entries can take up to 48 hours
    to propagate.

    If I send directly from Virgin's online mail page, there are no
    issues.

    Chris
    --
    Chris J Dixon Nottingham UK
    chris@cdixon.me.uk @ChrisJDixon1

    Plant amazing Acers.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andy Burns@21:1/5 to Chris J Dixon on Sat Oct 12 10:40:15 2024
    XPost: alt.usenet.offline-reader.forte-agent

    Chris J Dixon wrote:

    but find myself totally unable to understand exactly what to do.
    It also seems like trial and error is not a good way to go, if I
    correctly understand that updated entries can take up to 48 hours
    to propagate.
    I remember other heart customers having similar issue (no SPF at all, or incorrect SPF) but can't remember if heart fixed it after a phone call,
    or the customers fixed it by leaving heart!

    In short what you need is that heart add an SPF record to the DNS for
    your cdixon.me.uk domain containing

    v=spf1 include:_spf.virginmedia.com ~all

    which tells other email servers "when you're checking if I'm legit,
    allow the servers that virgin nominate as valid" and "meh to anything
    else", but not actually "block anything else".

    If you use other email servers in addition to virgin's (e.g. your mobile provider when away from home) then they need to be included too.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andy Burns@21:1/5 to Chris J Dixon on Sat Oct 12 10:45:53 2024
    XPost: alt.usenet.offline-reader.forte-agent

    Chris J Dixon wrote:

    I have read the various pages of instructions, including one on
    my host:
    I don't use heart or virgin, so you may want to xpost to
    uk.tech.broadband in the hope you get replies from fellow customers who
    have been there and got the T-shirt.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Theo@21:1/5 to Chris J Dixon on Sat Oct 12 11:48:07 2024
    XPost: alt.usenet.offline-reader.forte-agent

    In comp.misc Chris J Dixon <chris@cdixon.me.uk> wrote:
    I use Forte Agent to send email, via Virgin's mail servers, with
    replies forwarded via my own domain email address.

    I have set up the Gmail app password, which has been working
    fine, but am now getting bounce messages like this:

    [...]
    but find myself totally unable to understand exactly what to do.
    It also seems like trial and error is not a good way to go, if I
    correctly understand that updated entries can take up to 48 hours
    to propagate.

    If I send directly from Virgin's online mail page, there are no
    issues.

    The short answer is that any time you send a message as
    anything@yourdomain.com you need to send via the mail server run by the
    people who host your domain. They can ensure that your domain has a
    matching SPF record for their server.

    The longer answer is that it is technically possible to add an SPF record to your domain's DNS to indicate which server is a valid sender for anything@yourdomain.com. In an ideal world you'd add virgin's server and
    that would resolve the problem. However the IT of big companies is not
    simple, and as a general rule we couldn't guarantee how Virgin are going to route their email internally and where it will emerge. It is also liable to change without warning. So in practice this is just going to store up
    problems for the future.

    It used to be that you'd send email via the SMTP server of the network your were on (eg your ISP's server at home and your employer's at work), who had
    a whitelist based on IP addresses (all ISP customers could use their
    server). That doesn't work any more: if you have a domain the mail needs to
    go via the hoster for the domain so that it emerges matching the domain's
    SPF record. If you do use the 'wrong' server then it's highly likely the messages will be rejected as spam, as you are seeing.

    Theo

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andy Burns@21:1/5 to Theo on Sat Oct 12 12:07:23 2024
    XPost: alt.usenet.offline-reader.forte-agent

    Theo wrote:

    as a general rule we couldn't guarantee how Virgin are going to
    route their email internally and where it will emerge. It is also liable to change without warning. So in practice this is just going to store up problems for the future.

    Certainly don't try to construct your own list of virgin servers, use
    the list they have constructed ... I have no idea how good virgin are at keeping their own servers in their SPF lists, or referring to anyone
    else's they outsource to, but right now _spf.virginmedia.com resolves to

    "v=spf1 include:_mailcloud.virginmedia.com
    include:_external.virginmedia.com include:_internal.virginmedia.com include:_spf.fireeyecloud.com ~all"

    which recursively resolves to

    "v=spf1 ip4:212.54.59.64/26 ip4:212.54.57.64/26 ip4:212.54.57.64/26 ip4:84.116.6.0/23 ip4:84.116.50.0/23 ~all"

    "v=spf1 ip4:78.33.8.111 ~all"

    "v=spf1 ip4:193.38.82.91 ip4:193.38.82.92 ~all"

    "v=spf1 ip4:34.223.9.0/24 ip4:34.223.11.128/25 ip4:34.223.12.0/25 ip4:38.27.116.128/27 ip4:165.254.91.16/28 ip4:38.27.116.96/27 ip4:165.254.91.96/27 ip4:149.13.95.32/27 ip4:154.57.155.16/28 ip4:100.25.99.0/25 ip4:100.24.127.128/25 ip4:3.122.63.0/24 ip4:52." "215.218.128/25 ip4:63.34.31.0/25 ip4:63.34.218.0/24 ip4:3.123.5.0/24 ip4:34.223.36.0/24 ip4:3.93.93.0/24 ip4:3.112.99.0/24 ip4:3.112.100.0/24 ip4:3.97.207.0/24 ip4:3.97.208.0/24 -all"

    Which does include the 84.116.50.34 address originally mentioned ...

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Chris J Dixon@21:1/5 to Andy Burns on Sun Oct 13 16:35:42 2024
    XPost: alt.usenet.offline-reader.forte-agent

    Andy Burns wrote:

    Chris J Dixon wrote:

    but find myself totally unable to understand exactly what to do.
    It also seems like trial and error is not a good way to go, if I
    correctly understand that updated entries can take up to 48 hours
    to propagate.
    I remember other heart customers having similar issue (no SPF at all, or >incorrect SPF) but can't remember if heart fixed it after a phone call,
    or the customers fixed it by leaving heart!

    In short what you need is that heart add an SPF record to the DNS for
    your cdixon.me.uk domain containing

    v=spf1 include:_spf.virginmedia.com ~all

    which tells other email servers "when you're checking if I'm legit,
    allow the servers that virgin nominate as valid" and "meh to anything
    else", but not actually "block anything else".

    Thanks very much Andy, that seems to have done the trick.

    Chris
    --
    Chris J Dixon Nottingham UK
    chris@cdixon.me.uk @ChrisJDixon1

    Plant amazing Acers.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)