Microsoft Fixes Hotmail Delivery Failures After Misconfigured SPF DNS (bleepingcomputer.com) 23
Friday Microsoft told Bleeping Computer "that they have fixed the issue and Hotmail should no longer fail SPF checks."
But earlier in the day the site reported that "Hotmail users worldwide have problems sending emails, with messages flagged as spam or not delivered after Microsoft misconfigured the domain's DNS SPF record." The email issues began late Thursday night, with users and admins reporting on Reddit, Twitter, and Microsoft forums that their Hotmail emails were failing due to SPF validation errors... The Sender Policy Framework (SPF) is an email security feature that reduces spam and prevents threat actors from spoofing domains in phishing attacks... When a mail server receives an email, it will verify that the hostname/IP address for the sending email servers is part of a domain's SPF record, and if it is, allows the email to be delivered as usual...
After analyzing what was causing email delivery errors, admins noted that Microsoft removed the 'include:spf.protection.outlook.com' record from hotmail.com's SPF record.
Thanks to long-time Slashdot reader Archangel Michaelfor sharing the news.
But earlier in the day the site reported that "Hotmail users worldwide have problems sending emails, with messages flagged as spam or not delivered after Microsoft misconfigured the domain's DNS SPF record." The email issues began late Thursday night, with users and admins reporting on Reddit, Twitter, and Microsoft forums that their Hotmail emails were failing due to SPF validation errors... The Sender Policy Framework (SPF) is an email security feature that reduces spam and prevents threat actors from spoofing domains in phishing attacks... When a mail server receives an email, it will verify that the hostname/IP address for the sending email servers is part of a domain's SPF record, and if it is, allows the email to be delivered as usual...
After analyzing what was causing email delivery errors, admins noted that Microsoft removed the 'include:spf.protection.outlook.com' record from hotmail.com's SPF record.
Thanks to long-time Slashdot reader Archangel Michaelfor sharing the news.
Unshocked. (Score:2)
Unshocked at this.
I get DMARC reports that show Microsoft sending emails to other Microsoft properties that fail SPF.
I see DMARC reports of emails sent from Microsoft to Google that always have failures.
Re: (Score:1)
I use Microsoft hosted email services, we get all kinds of things sent to Quarantine because SPF lookups failed (failed when Microsoft went to check the record). Whatever Microsoft is doing internally with DNS and SPF seems inefficient or under-provisioned.
MSFT's internal services are awful (Score:2, Funny)
That thing about the plumber's pipes comes to mind.
HotMail still exists? (Score:5, Funny)
what a surprise
Re: (Score:2)
what a surprise
You'd be surprised how many old Hotmail accounts are still in operation. I've got one I use frequently. A lot of us got them before Microsoft bought Hotmail. Same thing with people that still have the AOL email address they had 25 years ago. It's the one they've always used. It's the one all of their contacts know. It's still working. Why change it?
SPF should die in a fire (Score:5, Insightful)
SPF breaks e-mail forwarding, plain and simple. There's so many good reasons for e-mail forwarding, the decision to break it was mind bogginglingly stupid. Also, spammers have hundreds of ways to get around it (proven by how much spam that's still in our filters that passed SPF checks), so it's near to useless.
Please please please don't set SPF hard fail policies for your domains!
Re: (Score:2)
If you rely on email FORWARDING to hide yourself, I can see where ALSO asking for SPF-validation will fail. The only SPF failures I've seen in 15 years or so involved people forwarding their forwarded email to a domain that has SPF-validation turned on, AND they forwarded mail from our SPF-bearing domains. These are usually Microsoft-based forwarders, but not entirely.
Inbound, we don't exclude mail from non-compliant SPF domains. If they claim compliance, though, they better actually have it configured prop
Re: (Score:2)
Google has turned SPF validation on.
Here's an example how this breaks forwarding:
Let's say I create an e-mail address (let's call it family@mydomain) that is forwarded to multiple people, and one of them has a gmail account, all mail sent from domains with a hard fail policy to this address will bounce.
The three people with an icloud address will get it (because icloud doesn't do SPF checks yet), but the fourth and fifth recipient with a gmail address will not get it, and the sender will receive two bounces
Re: (Score:2)
Yeah, I've been running into this lately with emails I send to my daughter's gmail account. I found a funny work-around, though - if I use Apple's "hide my email" feature, the mail goes through.
Re: (Score:2)
Obviously, this will fail SPF since the entire purpose of SPF is to designate which servers are allowed to claim sent messages are from a given domain.
If you want to forward incoming messages to one or more other recipients, you need to generate a new message quoting the old one with the new origin
Re: (Score:2)
Well, except when that forwarding happens additional mail headers are added that indicate *exactly* what is being done and what new servers are involved - everything is documented and above-board. So I don't grok why Google decided to start rejecting mail on this basis.
Plus, Gmail is rejecting these sorts of emails even when the originating SMTP server indicates the sender authenticated (username + password) with the server.
Heck, even Gmail allows you to set up and use alternate email addresses from other d
Re: (Score:2)
If you're smart enough to do that, you can set up a mailing list to do exactly the same thing. And really, it's not that hard. Your mailing list can even set a Reply-To: header that is the original sender so hitting reply will email them directly.
And really, other than your example, most
Re: (Score:2)
I do not set SPF policies at all as it serves no sane purpose. This thing is a hack. The only reason I set up SPF in my DNS is that some relatives use Gmail. Gmail gives you a SPAM-bounce without SPF because the people there are morons that do not understand how email works. Had to get mail past their SPAM filter to actually get the SPF error and see what was going on. How stupid is that?
At least I now know how to get email past that SPAM filter. And because these people at Google are assholes, here is the
a win for spammers (Score:1)
Spammers everywhere now rest easier knowing that their urgent message from a Nigerian Prince went straight to your Inbox.
Inbound or outbound delivery? (Score:2)
I don't know about Microsoft (don't know many people that use it), but inbound mail to GMail with missing/misconfigured SPF/DKIM/DMARC will bounce. But outbound mail from NigerianPrince12573@GMail.com will be passed. Because hey! He _SAID_ he was a Nigerian Prince when he applied for the Google account. Not sure what happens with intra GMail messages. I assume they are passed because otherwise why would a GMail address be of so much value to Bakare Tunde?
Gmail got me (Score:2)
I couldn't figure out why I couldn't send mail to gmail. Poked at it for a while.
Finally realized (from their bounce auto-response) that you needed to add "include:_spf.google.com" [no quotes] to an SPF TXT file.
Yeah, just for gmail I had to modify DNS records on all my domains...
Re: (Score:2)
It is worse: I did run into that as well, but did I get an SPF error response? No, the fucking incompetent morons at Google gave me a SPAM reject! How stupid is that? I eventually figured out how to get email past their SPAM filter and only then did I get the SPF error. As soon as I has SPF set up, the spam reject vanished.
Somebody there does not understand how email works and that person was put in charge of the tech-decisions. Yes, it is ok to have a failed SPF check as a score in the SPAM score. But you
SPF... (Score:2)
Of course, almost everyone terminates their SPF record with "~all", instructing you to essentially ignore the whole thing.
And then they go and have a mass mailing company send email on their behalf and wonder why it isn't getting through to people who actually strictly enforce SPF checks.
MS fucks up again. Has no surprise value. (Score:2)
It seems they are more and more incapable of even getting simple things right. Incidentally, cannot wait to see when they lose their cloud master keys again.
Might as well set up your own server (Score:1)
One of the arguments that repeatedly comes up on this site and elsewhere is that you shouldn't set up your own mail server, as it is so hard to configure it properly to get past spam filters and blacklists.
But if you can't trust the big players to handle this properly, that argument goes out of the window.
I'd say you're better off with your own system, which you can control completely, than having to fight with a third party provider's irritating implementation decisions and STILL not having the peace of mi