Sunday, March 31, 2013

GoDaddy SPF smtp.secureserver.net record problem.

Problem: Quick Shopping Cart email notices are rejected as SPAM. Adding "include:smtp.secureserver.net" to SPF (Sender Policy Framework) record may not resolve email rejection issue because smtp.secureserver.net fails validation.
Ex: v=spf1 include:spf.intermedia.net include:smtp.secureserver.net ~all

Workaround: use "include:spf100.secureserver.net include:spf200.secureserver.net" instead.
Ex: v=spf1 include:spf.intermedia.net include:spf100.secureserver.net include:spf200.secureserver.net ~all

Explanation:
Recently, I ran into a problem where generated email notifications from a GoDaddy Quick Shopping Cart started getting rejected by a site hosted on Intermedia.net (ex: websitehost.com). The Intermedia spam filter was deleting the message based on SPF_SOFTFAIL and SPF_HELO_SOFTFAIL. In my case, the Intermedia site had Basic Spam Filtering set to automatically delete any message that scored above 3 in SpamAssassin.

To understand what was going on, I changed the Intermedia Spam setting to "deliver and mark as [SPAM]". In the GoDaddy Quick Shopping Cart, there is a page in the dashboard for Notifications which allows you to "verify" the email addresses by sending a test message.

Test Case 1(websitehost): send a generated email message from GoDaddy Quick Shopping Cart (secureserver.net) where from:admin@websitehost.com, to:orders@websitehost.com.
Result: message was marked as [SPAM] based on SPF_SOFTFAIL and SPF_HELO_SOFTFAIL. (view email header to see Spam Assassin Score based on soft fails)

Test Case 2(gmail): send a generated email message from secureserver.net where from:admin@websitehost.com, to:test@gmail.com.
Result: message received, but by viewing the email header, we can see the SPF_SOFTFAIL warning.

The SOFTFAIL occurs because from the perspective of websitehost.com the email appears to be a spoof. In other words, secureserver.net is sending an email that appears to be from websitehost.com.

To allow GoDaddy's mail server (or another mail server) to send messages on behalf of websitehost.com the normal procedure is to update the SPF record for websitehost.com in the DNS settings of Intermedia. By updating the SPF record, you are specifying which mail servers can send email on behalf of websitehost.com. In our case, we want to allow the GoDaddy mail server (secureserver.net) to send email that appears to be from admin@websitehost.com.

My first attempt was to add "include:smtp.secureserver.net" to the SPF record. So, the whole SPF record on Intermedia looked like:
v=spf1 include:spf.intermedia.net include:smtp.secureserver.net ~all

I repeated the tests: websitehost still failed, but the gmail test showed a change.

Test Case 1(websitehost): send a generated email message from GoDaddy Quick Shopping Cart (secureserver.net) where from:admin@websitehost.com, to:orders@websitehost.com.
Result: message was marked as [SPAM] based on SPF_SOFTFAIL and SPF_HELO_SOFTFAIL. (view email header to see Spam Assassin Score based on soft fails)

Test Case 2(gmail): send a generated email message from secureserver.net where from:admin@websitehost.com, to:test@gmail.com.
Result: message received and by viewing the email header, we can see the SPF_SOFTFAIL warning is gone and there is a SPF PASS.

So, what's going on here? Gmail is showing SPF PASS, but Intermedia is still showing SPF SOFTFAIL.

I believe smtp.secureserver.net is not entirely valid.

Using this SPF Validation Tool by Kitterman, http://www.kitterman.com/spf/validate.html, we can see a couple problems:
- has TXT record, but no SPF record (the TXT record is include:spf.secureserver.net)
- has too many dns lookups

Gmail seems to parse smtp.secureserver.net while Intermedia does not.

To get something that Intermedia can parse, I used the same tool to look at spf.secureserver.net. It includes spf100.secureserver.net and spf200.secureserver.net. I tried using "include:spf.secureserver.net" instead of "include:smtp.secureserver.net" and had the same results. Then I tested spf100.secureserver.net using the Kitterman tool -- it passed validation. spf200.secureserver.net also passed.

So, I changed the SPF record to: v=spf1 include:spf.intermedia.net include:spf100.secureserver.net include:spf200.secureserver.net ~all

This is parsed by Intermedia and now Test Case 1 arrives without being marked as [SPAM] because there are no SOFTFAIL errors. In other words, now the GoDaddy email server(s) are ok to send email from admin@websitehost.com. Yea!

Other helpful SPF tools and sites:
Unified eMail SPF Parser - this will parse and expand so you can see all the mail servers that are "included" in a SPF record
SPF Project Site

Summary and Notes:
smtp.secureserver.net => spf.secureserver.net
spf.secureserver.net => spf100.secureserver.net spf200secureserver.net
spf100.secureserver.net => spf101.securerserver.net - spf107.secureserver.net (7 servers)
spf200.secureserver.net => spf201.secureserver.net - spf203.secureserver.net (3 servers)

The dns lookup limit is 10.

secureserver.net => spf.secureserver.net