• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
Locked
2

Having trouble receiving emails sent from Business Catalyst? Learn about SPF (Sender Policy Framework) - Updated on 26.03.2013 after Business Catalyst March’s release.

Adobe Employee ,
Apr 17, 2012 Apr 17, 2012

Copy link to clipboard

Copied

What is SPF and how I can benefit from setting a proper SPF record?

SPF also known as Sender Policy Framework is a protocol that help you controlling forged e-mail. SPF is not directly about stopping spam, junk email. It is about giving domain owners a way to say which mail sources are legitimate for their domain and which ones aren't. While not all spam is forged, virtually all forgeries are spam. SPF is not anti-spam in the same way that flour is not food: it is part of the solution.

If a domain publishes an SPF record, spammers and phishers are less likely to forge e-mails pretending to be from that domain, since the forged e-mails are more likely to be caught in spam filters which check the SPF record. Therefore, an SPF-protected domain is less attractive to spammers and phishers. Since an SPF-protected domain is less attractive as a spoofed address, it is less likely to be blacklisted by spam filters and so ultimately the legitimate e-mail from the domain is more likely to get through.

What does SPF actually DO?

Let's say a spammer forges a yahoo.com address and tries to spam you.

They connect from somewhere other than Yahoo.

When his message is sent, you see MAIL FROM: <forged_address@yahoo.com>, but you don't have to take his word for it. You can ask Yahoo if the IP address comes from their network.

(In this example) Yahoo publishes an SPF record. That record tells you (your computer) how to find out if the sending machine is allowed to send mail from Yahoo.

If Yahoo says they recognize the sending machine, it passes, and you can assume the sender is who they say they are. If the message fails SPF tests, it's a forgery. That's how you can tell it's probably a spammer.

I’m not a programmer, I don’t understand this, I just want my email delivered!

Believe us, we feel your pain and we are here to help you!

If you are choosing to host your domain with us there is no need to do anything here. Based on our system architecture we are generating that SPF record so that all the emails sent from this domain will have include all the IPs from where emails are being sent and make sure that you will pass the SPF check.

Note, the from address should be set up to using the domain hosted with us.

If you are choosing to host the domain with an external provider you may need to define it at their end.

Keep in mind that you need to define the SPF record for the domain that you are using as as from address - http://screencasteu.worldsecuresystems.com/Andrei/2012-04-18_0755.png for emails sent from Business Catalyst (e.g. workflow notifications, invoice emails etc.).

Now let's see how the SPF record is being defined by Business Catalyst.

We are defining the SPF record as follows:

"v=spf1 mx include:worldsecuresystems.com ~all"

What this means? The “mx” means to include the MX records as being legitimate IPs for sending emails. So if you are using external mail services as long as emails are being sent through the MX IPs then the record cover this. Next we are including the domain worldsecuresystems.com. When including a domain, the SPF record will take all data defined in the SPF record for the domain included (this is by design).

If you check the SPF record of worldsecuresystems.com you will see listed all the IPs from where we are sending emails using ours or OpenSRS’ (our mail service provider) mail servers. 

The last part ~all is an operator stating that if the email is received from an IP that is not listed in the SPF record then the email should be discarded. This is interpreted by the mail servers as possible spammer and act accordingly.

If you want to include other IPs or subnets all you have to do is to include the following syntax:

Ip4:XXX.XXX.XXX.XXX/YY where XXX.XXX.XXX.XXX is the IP from where you are sending emails and YY is the subnet. Also you can include domains by using include:domain.com if you want to use the hostname of the mail servers instead of IPs in case if IPs of the mail servers are changed periodically.

Here is how you need to define this record in BC if you want to add more IPs/domain - http://screencasteu.worldsecuresystems.com/Andrei/2013-03-26_1723.png

Note: The comments added prior to 26.03.2013 might contain obsolete information.

TOPICS
Documentation

Views

11.6K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Contributor ,
Jul 28, 2012 Jul 28, 2012

Copy link to clipboard

Copied

Hi Andrei,

Thanks for the tut. So just to confirm, this IP's you've provided above. Are they all the IP's the BC uses when sending mail through the system?

Whether it be a workflow, autoresponder or email campaign. We can just use these values when mail records are externally hosted? I just don't recognise any of these IP's.

What about domain name? Will include:worldsecuresystems.com include:businesscatalyst.com not work? Or doesn't the mail orginate from these? What about mx.worldsecuresystems.com.cust.b.hostedemail.com? Is this also included?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Jul 31, 2012 Jul 31, 2012

Copy link to clipboard

Copied

Hi Gary,

All the IPs listed above are IPs from where emails are being sent from either Business Catalyst or OpenSRS (our mail service provider) mail servers.

However when you build a web site in Business Catalyst it's important to know what data center you chose to host your site.

You can find below a list with all the mail servers from where email such as workflow notifications, auto-responders, email marketing campaigns, invoices etc. are being sent based on each data center :

Australia data center - relay-syd.worldsecuresystems.com -  202.176.14.133

United States data center - relay-nj.worldsecuresystems.com -  192.150.2.139

European data center - relay-dub.worldsecuresystems.com -  193.104.215.21

So as you can see in the document from above we include all those IPs in the subnets: 192.150.2.0/24, 202.176.14.128/28 and 193.104.215.21 .

However as you may notice there are two other IPs:  64.98.42.0/24 and 64.8.36.17. Those IPs belong to our mail service provider (OpenSRS). From those IPs are sent emails if you are using our mail services.

Now if you want to use external DNS services you may need to include the IPs or the hostnames in the SPF record.

Please note that this should be done ONLY if you are using in our platform a from address that has the domain set up externally for sending system emails (workflow notifications, invoices etc.) or campaigns using your name through our mail servers. For instance if I have the domain exampledomain.com hosted externally but added to Business Catalyst site then if I want that all the invoice emails sent to my customers to be sent from "John Smith john@exampledomain.com" the mail servers will check if the domain exampledomain.com has any SPF records defined and if it does it will try to search if the IP from where the email was sent is listed there so it can apply a score.

Now you are right when you say that you can use something like  include:worldsecuresystems.com and you can avoid putting all those IPs. This is because by including this domain you basically include all the IPs from where all emails are being sent (notice that all the hostnames are something like relay-dcname.worldsecuresystems.com). Also here you may need to add the host names or the IPs of your mail service provider to make sure that emails are reaching to your customers’ Inboxes.

I hope the above provides some clarity to the current situation for you.

Andrei Duca

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Aug 07, 2012 Aug 07, 2012

Copy link to clipboard

Copied

Hi Andrei,

I wonder if you can help with the problem I am currently having.

I have designed a website for my client the web address is www.retailsystemspl.com.au on my advice they are using Adobe hosting and we have configured 1 email address through that hosting.

The client already has their internal emails set up under a differnt domain name <person>@retsys.com.au.

After using the website for a few weeks they want to now use the marketing section, as they email domain name is reconised in their industry they want it to look like it came from they email address.

When you go into the marketing section and create a new markleting piece you get the option to verify an email address yet any verification email that I try to send through doesn ot reach the email address.

Can you please help or advise how to solve this. I have already edited they exchange settings to allow spoofed emails but to stamp with known details yet the emails still do not get through.

Cheers

Duncan

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Aug 07, 2012 Aug 07, 2012

Copy link to clipboard

Copied

Hi Duncan,

The reason why you are not receiving the email verification for any of the email address @retsys.com.au is because this domain has the MX record provided by dyndns.org (retailwa.dyndns.org)

This means that this domain uses dynamic DNS for mail services.

Dynamic DNS is a type of DNS service that allows for automated changes to the DNS configuration. It is typically used to dynamically and rapidly change the IP address resolution for a domain name.

Dynamic DNS is a risk to the corporate environment because it is frequently used by malware and botnets to obscure their activity and prevent blocking of malicious sites. For this reason the Adobe IT Security team blocks access to known Dynamic DNS servers that host malware.

Unfortunately there isn't much you can do here except the fact that you can contact your customer and ask him to change the MX record for this domain to use one that is not using dynamic DNS.

At least he can change this to receive the email verification and set up the email address as a legitimate one.

I hope this helps!

Andrei

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Aug 07, 2012 Aug 07, 2012

Copy link to clipboard

Copied

Thanks for the info Andrei.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Aug 07, 2012 Aug 07, 2012

Copy link to clipboard

Copied

Hey Everyone,

Thanks for the discussion about this - I'm looking to add spf for all my sites, which all use Google Apps email, and all domains are hosted at external registrars.  First time I'm setting up these records - if anyone has done the same, can someone confirm that the way to do this is to create a spf record in the "Enter Outsource Domains" , and that record should be:

"v=spf1 mx ip4:192.150.2.0/24 ip4:192.150.8.0/24 ip4:202.176.14.128/28 ip4:193.104.215.21 ip4:64.98.42.0/24 ip4:64.8.36.17 ~all" ? 

Godaddy example Here: http://screencast.com/t/7K9CuM9e9ZBT)

Thanks,

Mark


Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Aug 16, 2012 Aug 16, 2012

Copy link to clipboard

Copied

Hi Mark,

Sorry for the late reply here.

I've checked the documentation offered by Goddady and based on the information presented here - http://support.godaddy.com/help/article/5783/creating-an-spf-record-for-your-google-apps-domain-name and on the fact that you are using Google mail services what you have to put in the "Enter Outsourced Domains (one per line)" is as follows:

ip4:192.150.2.0/24

ip4:192.150.8.0/24

ip4:202.176.14.128/28

ip4:193.104.215.21

_spf.google.com

Now the output should be something as :

v=spf1 ip4:192.150.2.0/24 ip4:192.150.8.0/24 ip4:202.176.14.128/28 ip4:193.104.215.21 include:_spf.google.com ~all

If this is not you can try putting all of this on one line like this:

ip4:192.150.2.0/24 ip4:192.150.8.0/24 ip4:202.176.14.128/28 ip4:193.104.215.21 include:_spf.google.com

and see what is the output.

I hope this helps!

Andrei Duca

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jan 30, 2013 Jan 30, 2013

Copy link to clipboard

Copied

Hi Andrei

Thanks for this, this information is key because a lot of emails are not inboxing.

Could you please confirm the AU IP address.  In your update comment and original post the IP changes.

Australia data center - relay-syd.worldsecuresystems.com - 202.176.14.133

United States data center - relay-nj.worldsecuresystems.com - 192.150.2.139

European data center - relay-dub.worldsecuresystems.com - 193.104.215.21

So as you can see in the document from above we include all those IPs in the subnets: 192.150.2.0/24, 202.176.14.128/28 and 193.104.215.21

Here- AU IP address changes: 202.176.14.133 and 202.176.14.128.  Which is correct?  Or does 202.176.14.128/28 effectively include .133 IP?

Also, are there any Domain Key or DKIM settings that need to be included in external DNS?  I have added this for Google Apps email.

Thanks

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Jan 31, 2013 Jan 31, 2013

Copy link to clipboard

Copied

Hi Alastair,

The IP 202.176.14.133 is included in the subnet 202.176.14.128/28 so you can use either the IP or the subnet when setting up the SPF record.

As for the DKIM record this is something that needs to be set up at your DNS service provider. You need to generate from Google the record and add it as TXT record at your hosting provider.

For more details please have a look at this articles - http://support.google.com/a/bin/answer.py?hl=en&answer=174124 and http://support.google.com/a/bin/answer.py?hl=en&answer=173535

I hope this helps!

Andrei Duca

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Feb 04, 2013 Feb 04, 2013

Copy link to clipboard

Copied

Hi, I am very new to the web-building game. Here's the situation in a nutshell and why I arrived at this help area:

-Bought a domain (nightdrivemusic.com)

-Forwarded my emails through that domain to be received and sent through my gmail account.

So far so good, everything working fine....

-Created a very basic site w Muse.

-Published site, changed nameservers and connected businesscatalyst site with my domain address.

-Domain connected successfully and can be seen by visiting that domain address.

-However, now emails sent through the nightdrivemusic.com domain are rejected and sent back instead of being forwarded to gmail, they are never received by my gmail account.

I've been reading and reading because I'd prefer not to have to ask for assistance, but I cannot figure this one out. There are just too many variables that I do not understand.

Please let me know if there is any additional info you need to help me resolve this issue, or point me in the direction where I can solve it myself. Thank you!

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Feb 07, 2013 Feb 07, 2013

Copy link to clipboard

Copied

Hi Laurie,

Thank you for your post!

I've checked the DNS settings for the domain provided and it seems that at this stage you are using Godaddy hosting services.

Since they are the hosting provider they are responsible for the DNS services Laurie. For instance at them you have set up the MX record to point to Google so all the emails are being routed to them.

Now I can see that you have added the domain to us and set it up to use our hosting services - http://screencast.com/t/yMBLUsM8M. In this case if you want to use our hosting services you need to redelegate the domain from Godaddy as explained in this forum post - http://forums.adobe.com/docs/DOC-1741

The site that you created is using the WebBasic plan. This plan doesn't include our mail services besides the hosting so you can set up on our end to use Google as mail service provider as you done at Godaddy. In order to do this you need to remove the current MX record - http://screencast.com/t/7s2F1gjZr and from More Actions -> New MX Record select 'Use your Google Apps account for email' - http://screencast.com/t/jdtIZSGu28lg

Please let me know if this helped solving your issue.

Thanks,

Andrei Duca

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Feb 20, 2013 Feb 20, 2013

Copy link to clipboard

Copied

Can you please confirm that if the domain is hosted with you but the email is hosted externally that the autogenerated SPF file on the BC server is valid, even with the external email? Thanks.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Feb 21, 2013 Feb 21, 2013

Copy link to clipboard

Copied

Hi,

The SPF record is added by default for all sites that are using our hosting services. No matter if you are using our mail services or external ones in the SPF record we will inlcude by default the MX record as legitimate sender.

However if you are sending emails using other IPs than this should be added manually as mentioned above.

I hope this is clear and helps!

Andrei

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jul 06, 2013 Jul 06, 2013

Copy link to clipboard

Copied

Hi Andrei,

For someone like me who will just copy/paste as told bc I don't fully understand this but want my client's mail to work securely, can you tell me if I have to worry if this google tool tells me the SPF isn't quite up to Gmail standards?

https://toolbox.googleapps.com/apps/checkmx/

See my results attached.opbarks_toolbox-googleapps-com-apps-checkmx.png

I am using Business Catalyst to host a client's site. I added MX Records to push their mail through to Google Apps Gmail.

I tried adding the SPX that Google recommends (v=spf1 include:_spf.google.com ~all) to Business Catalyst and then BC spit it out as:

opbarks.com IN SPF 86400 "v=spf1 mx include:worldsecuresystems.com  include:_spf.google.com  ~all"

The Google Toolbox checker tool didn't think that passed the test either.

Should I worry about any of this? Do I even need the SPF record added to BC?

Or do I have to work on the Gmail side and "Authenticate email with a domain key" before doing SPF?

Thanks,

Janine

P.S. I'm not having delivery issues at the moment but don't want the client to have any in the future.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jul 06, 2013 Jul 06, 2013

Copy link to clipboard

Copied

I'm also having this same problem, and have had clients reporting delivery issues - Godaddy is not accepting emails from Google apps with my current setup.

Could someone who understands this well put up a sample spf record that includes google apps?  That would really be helpful -

Thanks,

Mark

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jul 09, 2013 Jul 09, 2013

Copy link to clipboard

Copied

Andrei,

I'm having an issue with the domain name and setting up emails. I added the domain name after I redelegated the name to BC. I set the email settings to use BC service. It returned an error stating it could not add the specific information for the MX records. But it showed the listing under the MX records. When I went to the Email settings, it stated that I was using an external provider for email and change my settings. I go back... it's set for BC services. Then I edited the MX and changed it to use Google email. That loaded. Then I switched it back to using BC services for email. Now it listed the MX records having BC services AND Google email services. So at the instruction of a BC Chat Support rep, I deleted everything (domain included). It stated it was removing all records completely.

But when I look at it now, the domain name is gone but all the MX records are still there — and it will not delete any of them.

The same holds true for the Advanced DNS settings for Google.

What can I do to correct this!?

See screen shot.

ScreenShot.jpeg

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Participant ,
Sep 29, 2013 Sep 29, 2013

Copy link to clipboard

Copied

LATEST

Andrei, I am having trouble with o365 and getting email campaign to arrive with going straight to spam.

Now I have seen on o365 community it says that the spf record needs to be change to a txt record in BC else o365 does not recognise it and hense mail goes straight to spam. http://community.office365.com/en-us/forums/156/p/169356/490846.aspx

Type: TXT

TXT Name: @

TXT Value: v=spf1 include:spf.protection.outlook.com -all

TTL: 1 Hour

Now it seem that this has to be done by BC engineers. Is there another way as I have 2 sites and a 3rd on its way that need this done to them. I would like the email campaigns to go out with the best possible chance they go to the mailbox intended and not to spam. And this does not seem to be happening. At least without the alter I have explained above.

Can you please help.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines