Monday, December 04, 2006

Email SPF Settings

Email, Publishing SPF settings. My education.
Today, I got lucky.

One of our homeschool moms noticed that she got some of our emails and not others. She called to inquire. She spoke to her husband (Tim), an IT guru. Tim got involved. (Thank you Tim). And now I am wiser about a problem that has haunted us for awhile: why do some of our emails NOT get thru.

Background - We send emails from three sources:
- Directly from our server ( hosted elsewhere)using a mail program set up in our database
- From our computers in our office using outlook. We send thru Bellsouth email accounts with return addresses and "from" in outlook set to: which are almost all sent from Bellsouth servers
- I sometimes use my Gmail account to send emails. It is sent to provide as the return address
- From Aweber, an ethical email marketing service that handles our marketing email

What I learned about spam filters and spf published policies....

Modern sophisticated spam filters will check the return address on an email and compare it with what server an email is coming from. Some spam filters stop there and reject all emails that are sent from different servers than the one listed in the from or reply field. More sophisticated spam filter will then check any that don't match up with the published spf policy for that domain. A domain can publish a list of servers permitted to send using their return address. Each domain should publish a DNS policy which tells the world what servers are authorized to send emails in their name. BTW, there is an authority site on SPF policy - The Sender Policy Framework - (note, these guys have an spf wizard!)

How to check your SPF published policy?
- go the command line (start, run, cmd, OK)
- type: nslookup
- type set type=txt
- type domainname (
Of course, these directions are not that much help since if you need the directions, you'll also need help understanding the results....

My result is "v=spf1 ip4: -all" which apparently translates to "anybody hosted at webstream is entitled to send email as". This means that our mail sent from bellsouth, gmail, and aweber is likely to get caught in spam filters and that anybody at webstream is free to spoof us"

What could/should we do?
- publish a new spf policy allowing bellsouth, aweber, and our specific domain....
(does this happen thru my registrar or hoster or elsewhere?)
- publish no policy allowing anyone to send in our name
- set up outlook to be an "authenticated mail relay"
- set up our email system to actually send from

I'm not sure how to do any of these but next week, after some other transitions, we'll figure out how to do it.

Thanks again Tim. Glad your kids like our online homeschool service. If you have some good pictures of your kids, we could add them to Ed Mouse's site.

No comments: