Sunday, March 31, 2013

GoDaddy SPF smtp.secureserver.net record problem.

Problem: Quick Shopping Cart email notices are rejected as SPAM. Adding "include:smtp.secureserver.net" to SPF (Sender Policy Framework) record may not resolve email rejection issue because smtp.secureserver.net fails validation.
Ex: v=spf1 include:spf.intermedia.net include:smtp.secureserver.net ~all

Workaround: use "include:spf100.secureserver.net include:spf200.secureserver.net" instead.
Ex: v=spf1 include:spf.intermedia.net include:spf100.secureserver.net include:spf200.secureserver.net ~all

Explanation:
Recently, I ran into a problem where generated email notifications from a GoDaddy Quick Shopping Cart started getting rejected by a site hosted on Intermedia.net (ex: websitehost.com). The Intermedia spam filter was deleting the message based on SPF_SOFTFAIL and SPF_HELO_SOFTFAIL. In my case, the Intermedia site had Basic Spam Filtering set to automatically delete any message that scored above 3 in SpamAssassin.

To understand what was going on, I changed the Intermedia Spam setting to "deliver and mark as [SPAM]". In the GoDaddy Quick Shopping Cart, there is a page in the dashboard for Notifications which allows you to "verify" the email addresses by sending a test message.

Test Case 1(websitehost): send a generated email message from GoDaddy Quick Shopping Cart (secureserver.net) where from:admin@websitehost.com, to:orders@websitehost.com.
Result: message was marked as [SPAM] based on SPF_SOFTFAIL and SPF_HELO_SOFTFAIL. (view email header to see Spam Assassin Score based on soft fails)

Test Case 2(gmail): send a generated email message from secureserver.net where from:admin@websitehost.com, to:test@gmail.com.
Result: message received, but by viewing the email header, we can see the SPF_SOFTFAIL warning.

The SOFTFAIL occurs because from the perspective of websitehost.com the email appears to be a spoof. In other words, secureserver.net is sending an email that appears to be from websitehost.com.

To allow GoDaddy's mail server (or another mail server) to send messages on behalf of websitehost.com the normal procedure is to update the SPF record for websitehost.com in the DNS settings of Intermedia. By updating the SPF record, you are specifying which mail servers can send email on behalf of websitehost.com. In our case, we want to allow the GoDaddy mail server (secureserver.net) to send email that appears to be from admin@websitehost.com.

My first attempt was to add "include:smtp.secureserver.net" to the SPF record. So, the whole SPF record on Intermedia looked like:
v=spf1 include:spf.intermedia.net include:smtp.secureserver.net ~all

I repeated the tests: websitehost still failed, but the gmail test showed a change.

Test Case 1(websitehost): send a generated email message from GoDaddy Quick Shopping Cart (secureserver.net) where from:admin@websitehost.com, to:orders@websitehost.com.
Result: message was marked as [SPAM] based on SPF_SOFTFAIL and SPF_HELO_SOFTFAIL. (view email header to see Spam Assassin Score based on soft fails)

Test Case 2(gmail): send a generated email message from secureserver.net where from:admin@websitehost.com, to:test@gmail.com.
Result: message received and by viewing the email header, we can see the SPF_SOFTFAIL warning is gone and there is a SPF PASS.

So, what's going on here? Gmail is showing SPF PASS, but Intermedia is still showing SPF SOFTFAIL.

I believe smtp.secureserver.net is not entirely valid.

Using this SPF Validation Tool by Kitterman, http://www.kitterman.com/spf/validate.html, we can see a couple problems:
- has TXT record, but no SPF record (the TXT record is include:spf.secureserver.net)
- has too many dns lookups

Gmail seems to parse smtp.secureserver.net while Intermedia does not.

To get something that Intermedia can parse, I used the same tool to look at spf.secureserver.net. It includes spf100.secureserver.net and spf200.secureserver.net. I tried using "include:spf.secureserver.net" instead of "include:smtp.secureserver.net" and had the same results. Then I tested spf100.secureserver.net using the Kitterman tool -- it passed validation. spf200.secureserver.net also passed.

So, I changed the SPF record to: v=spf1 include:spf.intermedia.net include:spf100.secureserver.net include:spf200.secureserver.net ~all

This is parsed by Intermedia and now Test Case 1 arrives without being marked as [SPAM] because there are no SOFTFAIL errors. In other words, now the GoDaddy email server(s) are ok to send email from admin@websitehost.com. Yea!

Other helpful SPF tools and sites:
Unified eMail SPF Parser - this will parse and expand so you can see all the mail servers that are "included" in a SPF record
SPF Project Site

Summary and Notes:
smtp.secureserver.net => spf.secureserver.net
spf.secureserver.net => spf100.secureserver.net spf200secureserver.net
spf100.secureserver.net => spf101.securerserver.net - spf107.secureserver.net (7 servers)
spf200.secureserver.net => spf201.secureserver.net - spf203.secureserver.net (3 servers)

The dns lookup limit is 10.

secureserver.net => spf.secureserver.net

7 comments:

vorapoap said...

Nowadays

This no longer pass the verification

v=spf1 include:spf100.secureserver.net include:spf200.secureserver.net ~all

This problem affects GoDaddy and all Godaddy Reseller. ANyone has a resolution?

Mark Marino said...

I Agree. This still fails SPF.

I am receiving emails from my Godaddy webmail account and the sending IP does not even fall anywhere in the list of IPs associated with smtp.secureserver.net (so SPF test fails).

I've contacted godaddy support and they have no answer.

Mark Marino said...

I agree. This does not currently work.

I am sending email from Godaddy's webmail interface and the IP address it is sending from does not even belong to smtp.secureserver.net or any of it's subdomains (so I get an SPF fail every time).

I've contacted Godaddy support and they have no answer. I will keep trying.

chuckee said...

Godaddy have monumentally screwed up their SPF record as it has a ridiculous number of DNS lookups. It should really have NO DNS lookups, and be purely IP address ranges.
As it is, it is entirely broken and unusable. Good luck with contacting anyone who has even heard of SPF within Godaddy!

North Shore IT said...

This might work for you...(it includes spf for Google Apps):
v=spf1 mx:smtp.secureserver.net include:smtp.secureserver.net include:_spf.google.com ~all

Sony Kumari said...
This comment has been removed by a blog administrator.
Pandemonium said...

The work-around that I found for this on godaddy is to explicitly include the IP of the sending server with the ip4: tag, i.e if the IP of the server sending the email is 82.10.15.11 you'd have the spf record as:

v=spf1 mx mx:smtp.secureserver.net mx:mailstore1.secureserver.net include:spf100.secureserver.net ip4:82.10.15.11 ~all

That worked for me!