Home / server / Questions / 567084
Accepted
Lenne
Asked: 2014-01-15 01:08:42 +0800 CST

include:_spf.google.com not enough for hotmail

  • 772

My spf is

neland.dk descriptive text "v=spf1 a:mail6.paradiss.dk a:min.moar.dk 
a:arnold.neland.dk include:_spf.google.com -all"

I get this error when sending from gmail.com as [email protected]

Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the server for 
the recipient domain hotmail.com by mx4.hotmail.com. [65.55.37.72].

The error that the other server returned was:
550 5.7.0 (COL0-MC1-F16) Unfortunately, messages from (209.85.219.42) on 
behalf of  (neland.dk ) could not be delivered due to domain owner policy restrictions.

_spf.google.com includes

_spf.google.com descriptive text "v=spf1 include:_netblocks.google.com
include:_netblocks2.google.com include:_netblocks3.google.com ~all"

which contains 209.85.219.42

So why is hotmail not accepting my mail? I also have DKIM and DMARC for neland.dk

_dmarc.neland.dk descriptive text "v=DMARC1\; p=reject\; rua=mailto:[email protected]"

Does my DKIM matter if the mail is not signed by my own server, but by google's?

gmail

2 Answers

  1. "policy restriction" is key here. Your DMARC record asks that all non-verified messages claiming to be from your domain should be rejected. (p=reject). That's the policy being honored is this case.

    As you might be aware, there are 3 similar but distinct identity validation concepts, in play here:

    1. Validation of sender legitimacy (SPF)
    2. Validation message integrity as ensured by a signatory (DKIM)
    3. Validation of the above in relation to the author (DMARC)

    DMARC validation is "all or nothing" (if either sender or signatory is compromised, authorship validation is futile). From the DMARC specfication (§3.4):

    DMARC has no "short-circuit" provision, such as specifying that a pass from one authentication test allows one to skip the other(s). All are required for reporting.

    Now, regarding your question:

    "Does my DKIM matter if the mail is not signed by my own server, but by google's?"

    Well yes, then it suddenly matters. Hotmail now needs to find out whether the author ("[email protected]") has given mandate to the signatory domain. The information needed to validate this mandate does not exist, and thus the message "could not be delivered due to domain owner policy restrictions."

    Simply generate a DKIM key for GMail to use for signing messages sent as neland.dk and make sure the GMail key is published in DNS.

    GMail always signs messages using the "Google" selector prefix, so the key needs to be published at google._domainkey.neland.dk - now, when the MX at hotmail.com receives a submission from GMail it can verify using both mechanisms (SPF and DKIM) and won't have to reject the message.

    Fortunately, Google put together a nice little step-by-step guide for domain owners regarding DKIM implementation in GMail/Apps:

    Google Support: Authenticate email with DKIM

    • 5
  2. Best Answer

    I have made it so I let google send the mail out from my own mailserver, as I appearently cannot set the private key or get the public key for google._domainkey.neland.dk without google apps for business.

    Now my own server signs the mail.

    • 0