Hi
starting 17Jan07, we started to get complaints from our
Surgemail users that email addressed to  hotmail.com or msn.com were being refused with the error
message "550 Command rejected for policy reasons"
(search the surgemail log admin page, msg.log)
It seems that Microsoft has tightened up its rules and now
enforces a strict interpretation of the TXT spf record. We
have used SPF records in the domains we host for a long time
and not had a problem before this past week.
The rejection seems to be because of the SPF of the
primary domain of the Surgemail server. We had been using a
range of IP addressses in the
TXT record, as in ip4:192.168.0.0/26. Microsoft now seems to
be checking every ip in that range for having a hostname in
the prinmary domain. We have differnet IP's for in and
outgoing mail, for bounce and blogs, etc., our mail IP were
scatterred in this IP-range and the "umbrella"
ip4: statement previously worked. We decided to move some
IP space around so we got everything into a /28 (16 IP's)
range and things now seem to be ok to send to MS mail
addresses. For the IP's we weren't currently using in that
range, we had to make dummy DNS host name records and
arpa/reverse entries.
BTW, a simpler approach might have been to name all the
specific mail IP we use in the SPF record, but we found out
that our DNS has a 255 character limit in the TXT value.
A very usful test of SPF rules is to send a test email to
auth-results <at> verifier.port25.com from the domains
you host on the Surgemail server.
Note that this was from trial and guess, not from an
official MS document, so this may not be applicable to
others. Hopefully this info will save someone some time.
Has anyone else has noticed a change and made a solution?
Larry
|