Server emails failing SPF

[zombie]

(Emails generated by logwatch, cpanel etc; not emails sent from my site's forms) are failing SPF.

in Cpanel -> Email Authentication -> Additional Hosts that send mail for your domains (A):
I've added "host.[mysite].com"

Yet, in hotmail the emails are still junked:

Authentication-Results: hotmail.com; spf=none (sender IP is 67.222.x.x) smtp.mailfrom=[login]@host.[mysite].com; dkim=none header.d=[mysite].com; x-hmca=none header.id=[user]@[mysite].com X-SID-PRA: [user]@[mysite].com

X-AUTH-Result: NONE
X-SID-Result: NONE X-Message-Status: n:n

As well, this is ticked:
All Entry (ALL):

What am I missing, to get my server-generated messages passing SPF?

 

[Dave G]

After my move I ended up disable/remove all the SPF and DKIM info in each accounts cPanel and then re-enable it would seem the IP address was never changed on transfer in this area. Also check your DNS Zone files for left overs from HG.
Dave G

 

[zombie]

Looks like there was an issue with the domainkeys!

I disabled & reset both Domainkeys & spf, both say (in cpanel):
Status: Enabled & Active (DNS Check Passed)

When I test on: http://domainkeys.sourceforge.net/policycheck.html it says no TXT found, but it also says the same for knownhost.com.
Any validator I tried said no domainkeys found. Any way to check?

 

[Dan]

Zombie,

To be honest I'm not surprised that you're having trouble getting emails to Hotmail. A couple of years back it was really really hard to get ANY mail into an inbox with them and, to be honest, I simply gave up trying. I haven't heard anything from any clients or anything in a long time now though so perhaps they have sort of 'fixed' whatever issue they were having that made it so difficult.

Domain keys and SPF are in the DNS and so the rules of propagation will unfortunately apply which COULD be the problem now. It could take anywhere from one to three days for the new information to propagate.

I have never needed to add SPF or DKIM to my host's DNS record but I use Gmail here not Hotmail. I do have them in for all of my domains though.

This is what one of my SPF strings looks like: "v=spf1 mx a ip4:<IP#> ~all"
And a DKIM string: "k=rsa; p=<rediculouslylongstringhere>;"

Pay attention to the quotes and also to semicolon at the end of the DKIM string.

 

[zombie]

I'm a bit daft with Domain Keys & SPF, do these have to propagate like DNS? The DNS for my site has long updated (I moved it to KH on Friday)

Dan, I believe the ~all may be part of your problem with hotmail, if I recall correctly. Tick this option in cpanel:

All Entry (ALL):
If you are sure you have entered all hosts (your primary mail exchanger and any other mx entries are automatically included) that will send mail for your domain, check this box to exclude all other domains.

That would make it -all. Here is my SPF:

v=spf1 +a +mx +ip4:67.222.x.x +a:host.[mysite].com +ip4:67.222.x.x -all

- yours should have the google info in there, obviously.

It is my understanding that -all is a hard block of any other domains.

I actually have a decent delivery rate with hotmail! It's Gmail that is the biggest pain in my butt.

Make sure you've filled these out:
Junk Mail Reporting Partner Program

• A free service to provide reports on junk email issues reported by Outlook users
• Returns the full message with headers of any email marked as “junk” or “phishing”
• Provides senders an opportunity to clean their email lists and improve the quality of their content
• Helps identify potential problems with your marketing practices and content
• Helps improve sender reputation by removing unwanted subscribers from lists
• Enroll at https://support.msn.com/eform.aspx?productKey=edfsjmrpp&ct=eformts and typically start receiving feedback within as little as 72 hours.

Sender ID:

• A simple authentication technology that has been adopted by thousands of organizations worldwide
• Leverages SPF records which have been published by over 10 million domains in the world
• Helps improve deliverability by verifying your identity and the IPs which send mail from your authenticated domain
• Help prevent spammers and phishers from sending email from your domains
• Learn more at http://g.live.com/9wc9en-us/senderid

Once I did both of these forms, my success rate with getting messages through greatly increased.

When you test, send yourself a legit email like "testing the spf of the site" and make sure you've got a subject & body. I find that when sending "test" messages with nothing other than test in the body or subject, they end up in the junk folder.


And last night, when I disabled DKIM to re-enable it, an old username I hadn't used in years (on this server) had wedged itself into this site's DKIM! No clue how that happened, but I manually deleted it via SSH and then re-enabled DKIM via cpanel. Seems to be OK now, except I can't seem to test it.

 

[Dan]

Hi zombie,

Yeah I went with the soft-fail (~all) because you just never know. People send email from all over the place like their mobile phones and that can really screw things up sometimes if you do a hard-fail.

In regards to SPF and DKIM having to follow propagation rules i don't see why it wouldn't since they go into the DNS zone for the domain. So if you send an email and the SPF gets tested by a server that still has the old DNS information for your domain it would still fail but once it updates it's cache it would pass. Although I would think it would be ok by now.

So if you examine the header of an email sent you don't see DKIM in it? Interesting, I just looked at one sent to me by one of my other users and I don't it in there either but I do when I send from a Google apps email address. Almost seems like DKIM isn't working!

 

[zombie]

Yeah I went with the soft-fail (~all) because you just never know. People send email from all over the place like their mobile phones and that can really screw things up sometimes if you do a hard-fail.

I had always wondered its purpose, good to know!!

I still can't verify domainkeys here: http://domainkeys.sourceforge.net/policycheck.html
Dan, does your domain validate on there?

So if you examine the header of an email sent you don't see DKIM in it?

When I view the headers in hotmail:
dkim=pass

 

[Dan]

Nope, it doesn't show any of them as passing. cPanel adds it as 'default._domainkey' rather than '_domainkey' which it seems to be looking for. Wonder if that could be why?

Well if it says dkim=pass then it would seem that it has passed the dkim test. At least that's what I would think...

 

[zombie]

Strange. Even the sites that have you send an email to a randomly-generated address are reporting failures, too.
Doesn't seem to bother hotmail, irregardless.