SPF vs Callout - Mail server admins

[w1z4rd]

Im having a conflict with some other mail servers. Im not sure which is the more accepted practice.

In all our DNS recrods we have sender policy framework:

In computing, Sender Policy Framework (SPF) allows software to identify messages that are or are not authorized to use the domain name in the SMTP HELO and MAIL FROM (Return-Path) commands, based on information published in a sender policy of the domain owner. Forged return paths are common in e-mail spam and result in backscatter. SPF is defined in RFC 4408.

Now we are having problems with some mail servers that use Callback verification:

Callback verification, also known as callout verification, is a technique used by SMTP software in order to validate e-mail addresses. The most common target of verification is the sender address from the message envelope (the address specified during the SMTP dialogue as "MAIL FROM"). It is mostly used as an anti-spam measure.

From what I can understand is this is a very gay way of doing antispam.. but the end result is we get bounce messages like :

[email protected]
SMTP error from remote mailer after RCPT TO:
<[email protected]>:
host smtp.isdsl.net [196.26.208.200]: 550-Verification failed for <[email protected]>
550-Previous (cached) callout verification failure
550 Sender verify failed

Whats the best practice.. SPF or callout. I have not read any great reviews about callback verification..

 

[Juggy]

SPF coupled with DKIM and a valid PTR.

There is a place you can send a test email to and find out your status, I'm just looking for it quickly for you.

I actually would worry too much about DKIM unless your sending large amounts of marketing email to the like of Yahoo

 

[Juggy]

Add this txt record to your dns v=spf1 -all if you send from the same servers you receive.

That signifies that all receiving servers are authorized to send email.

 

[w1z4rd]

Add this txt record to your dns v=spf1 -all if you send from the same servers you receive.

That signifies that all receiving servers are authorized to send email.

Right now SPF record looks something like this:

newz.co.za.  IN TXT  "v=spf1  ip4:196.15.XXX.0/27 ip4:196.211.XXX.XX ip4:196.35.6.71 ip4:196.35.6.69 ip4:196.35.6.70 ip4:196.26.208.200 ip4:196.26.208.190 ipv4:196.26.208.195 ip4:196.26.208.193 a:smtp.dial-up.net a:smtp.isdsl.net -all"

 

[Juggy]

Holy carp, do you really send email out through all those servers?

 

[RSkeens]

Hi w1z4rd,

First off, are you certain you have those TXT records? This may interest you:

$ dig txt newz.co.za

; <<>> DiG 9.2.4 <<>> txt newz.co.za
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43036
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;newz.co.za. IN TXT

;; AUTHORITY SECTION:
newz.co.za. 900 IN SOA ns1.wolfatek.com. dave.newz.co.za. 1218633744 10800 3600 604800 10800

;; Query time: 203 msec

===

$ dig txt mail.newz.co.za

; <<>> DiG 9.2.4 <<>> txt mail.newz.co.za
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2114
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;mail.newz.co.za. IN TXT

;; AUTHORITY SECTION:
newz.co.za. 900 IN SOA ns1.wolfatek.com. dave.newz.co.za. 1218633744 10800 3600 604800 10800

;; Query time: 289 msec

In my experience, SPF is pretty hit and miss with catching spam messages - I definitely would not rely on it for that!

Anyway, this is going to be the domain SPF:

domain.tld. IN TXT "v=spf1 [your rules] -all"
domain.tld. IN SPF "v=spf1 [your rules] -all"

This is going to be the mail SPF (your domain uses mail.newz.co.za):

mail IN TXT "v=spf1 [your rules] -all"
mail IN SPF "v=spf1 [your rules] -all"

One last thing - My eye caught that you typed "ipv4:196.26.208.195". I'm almost certain that should read "ip4:196.26.208.195" instead?

P.S. have you visited wolfatek.com recently?