Menu
Reply
Mike_L
  • 3
  • 0
  • 1
Tuning in
758 Views
Message 1 of 7
Flag for a moderator

Email rejected dur to SPF / DMARC policy

I am sending email from a private domain via Virgin's SMTP server (smtp.virginmedia.com). I have recently started seeing large numbers of emails being rejected, with the following message:

Your message have been determined to be suspicious due to non-compliance with the SPF or DMARC policy for the domain < my domain name >, which this message appears to have originated from.
If you are the owner of this domain, then please refer to the below forum post for corrective action:
https://community.virginmedia.com/t5/Email/Sending-email-using-your-own-domain/td-p/3716147

I studied the information in the above-mentioned forum post, but to be honest I didn't understand any of it. (I did manage to find the contents of the SPF record, but I've no idea how to interpret it or how to alter it.)

I contacted my hosting company (where the domain is registered) but they said I must contact Virgin.

I'd be grateful for any help or guidance.

Mike

0 Kudos
Reply
Graham_A
  • 16.13K
  • 2.25K
  • 6.89K
Very Insightful Person
Very Insightful Person
752 Views
Message 2 of 7
Flag for a moderator

Re: Email rejected dur to SPF / DMARC policy

Virgin Media won't be able to make the necessary changes for you. 

Generally they need to be made in the control panel of your domain registrar/hosting account.  The author of the post you were linked to is probably the best person to help.  However, I have no idea how much he is able to contribute during this current crisis period, but I will give him a mention @ravenstar68 

________________________________
Graham

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media, I'm a VM customer. There are no guarantees that my advice will work. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

0 Kudos
Reply
HowardML
  • 12.24K
  • 1.42K
  • 5.72K
Very Insightful Person
Very Insightful Person
743 Views
Message 3 of 7
Flag for a moderator

Re: Email rejected dur to SPF / DMARC policy

I'm going to give you the clue that might unlock this for you. But it is down to you to sort out.

As an anti-spam measure ISPs increasingly, and VM is one of them, do not allow you to send mail via their servers which are not clearly identified as coming from one of their addresses. And increasingly ISPs will check mail which they receive to see if the servers sending the mail (in this case VM) are authorised to send mail for that domain.  They look at the SPF record for the domain.

Your mail is failing that check (I surmise) because your SPF record does not identify that VM;s SMTP servers are authorised to send that mail for that domain

Now re-read the article to see how you get your SPF record for your domain to announce that VM's servers are authorised to send mail for your domain.  And if you need help with that, then you go to your domain name hosting service because they should have provided you with the on-line tools for you to construct your SPF record. Usually some kind of on-line "control panel". 

 



I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

0 Kudos
Reply
ravenstar68
  • 19K
  • 1.11K
  • 8.22K
Very Insightful Person
Very Insightful Person
709 Views
Message 4 of 7
Flag for a moderator

Re: Email rejected dur to SPF / DMARC policy

@Graham_A 

Thanks for the mention.

@Mike_L - It's a bit hard to be specific without knowing your domain or your DNS hosting provider (I presume like most novices, you are using the hosting services provided by your registrar).

The best way to understand SPF is this.

It allows you to tell the world the IP addresses of the mail server(s) used by your domain using DNS.

Lets have a look at a real world example.

$ dig txt timothydutton.uk +short
"v=spf1 mx -all"

This tells the world that outbound email from the timothydutton.uk will only come from the same servers that handle it's inbound email.

When receiving mail an inbound mail would need to turn the mx entry into an IP address by first looking up the MX DNS record

dig mx timothydutton.uk +short
10 box.timothydutton.co.uk.

And finally looking up the address for my host

$ dig a box.timothydutton.co.uk +short
77.68.89.100

So - If I try to send mail using Virgin Media's SMTP relays - I would end up getting the same message, as Virgin Media have taken the unusual step of actually employing SPF checking on it's outbound relays.  This in theory would limit the ability of someone who'd hacked a Virgin Media email account to be able to spoof third party email addresses using Virgin Media's email servers.

If you own the domain, you can add to your existing SPF record.  For example I set up a free mailjet account for one of my domains, hosted on the same server.  So I added the mailjet servers to that domains SPF record

$ dig txt timothydutton.co.uk +short
"v=spf1 include:spf.mailjet.com mx -all"

Note the extra include:spf.mailjet.com entry before the existing mx entry.

Now if I want to add Virgin Media's mail servers to my SPF record I'd add the following include: entry.

include:_smtprelay.virginmedia.com 

"v=spf1 include:_smtprelay.virginmedia.com include:spf.mailjet.com mx -all"

Now the above would be specific to my requirements for my own domain.  If you want more specific advice as to what your own SPF record should be, I'd need to either:

Know what domain you are using.  OR
Know what your existing SPF record says.  (TBH If I know your domain then I can find the SPF record myself)

HOWEVER the important thing to know is that you need to add include:_smtprelay.virginmedia.com to your existing SPF record.

Virgin Media can't help you do this.  Your DNS provider can help here.

Tim

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

Mike_L
  • 3
  • 0
  • 1
Tuning in
668 Views
Message 5 of 7
Flag for a moderator

Re: Email rejected dur to SPF / DMARC policy

First of all, many thanks to all three of you for your prompt replies, and especially to Tim (@ravenstar68 ) for the detailed explanation.

Tim, you asked what my existing SPF record says. This is the result I got after running nslookup (as per your earlier thread):

Server: routerlogin.net
Address: 192.168.0.1

cycling-edinburgh.org.uk text =

"v=spf1 ip4:31.170.123.89 +a +mx include:secureserver.net ~all"

You are right that I am using a hosting service. So, if I've understood this right, I should ask my hosting service to add include:_smtprelay.virginmedia.com to the above record? I assume they would how to do that.

MIke

0 Kudos
Reply
ravenstar68
  • 19K
  • 1.11K
  • 8.22K
Very Insightful Person
Very Insightful Person
660 Views
Message 6 of 7
Flag for a moderator
Helpful Answer

Re: Email rejected dur to SPF / DMARC policy

@Mike_L 

Your host can do it for you - but you should be able to do it yourself TBH

https://help.tsohost.com/knowledge-base/article/4838

With regards to your SPF record

 

"v=spf1 ip4:31.170.123.89 +a +mx include:secureserver.net ~all"

 

Lets look at the following terms

ip4:31.170.123.89

Means the IPv4 address 31.170.123.89

+a

Which can also just be written as a - means use the A record (IPv4 address) for your domain

cycling-edinburgh.org.uk. 14400 IN A 31.170.123.89

+mx

Which again can also just be written as mx means use the hostname found in your MX records

cycling-edinburgh.org.uk. 14400 IN MX 0 cycling-edinburgh.org.uk.

The SPF module will then look for the and A (IPv4) or AAAA (IPv6) records for the hostname cycling-edinburgh.org.uk which will again point to the same ip address

Thus the above three mechanisms all resolve to the same IP address.  Given that SPF processing ends with a positive once a match is found you don't need all three.

So your SPF record should be

 

"v=spf1 ip4:31.170.123.89 include:secureserver.net include:_smtprelay.virginmedia.com ~all"

 

Tim

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

Mike_L
  • 3
  • 0
  • 1
Tuning in
630 Views
Message 7 of 7
Flag for a moderator

Re: Email rejected dur to SPF / DMARC policy

Tim,

The hosting company have now updated the SPF record, as per your suggestion. I've now sent out some test emails, and they all appear to have been correctly delivered.

I'm very grateful for your help.

Mike