[dmarc-discuss] why is this IP failing SPF?

pandalove pandalove at 126.com
Mon Jun 2 22:58:31 PDT 2014


>>       <spf>
>>         <domain>lists.wpkg.org</domain>
>>         <result>neutral</result>
>>       </spf>




The logs tell that 178.63.195.102 resulted in SPF NEUTRAL, treated as a fail in <policy_evaluated> element because this ip cannot provide an SPF alignment.


Usually, such SPF_NEUTRAL is caused by DNS failures: sites 163.com/126.com/yeah.net have a DNS cache, the very FIRST time that a new domain visits OR the TTL of DNS records expires OR outward query of SPF record fails, our DNS cache returns an SPF NEUTRAL when querying SPF/TXT records.




Hope this helps,


-Junping Chen





在 2014-06-02 04:21:25,"Tomasz Chmielewski via dmarc-discuss" <dmarc-discuss at dmarc.org> 写道:
>And could anyone tell me why these two reports say 178.63.195.102 fails
>SPF test?
>
>-- 
>Tomasz Chmielewski
>
>
>On Fri, 30 May 2014 20:45:37 -0700
>Andrew Flury <aflury at agari.com> wrote:
>
>> Hi Tomasz,
>> 
>> As Tim suspected, these reports indicate an SPF alignment problem.
>> Hotmail is reporting that it’s doing SPF checks using
>> web2.virtall.com as the authority domain (typically the MAIL FROM /
>> envelope domain, but it could be the HELO/EHLO domain in the case of
>> bounces).  Emails sent with From: header domains of ptraveler.com
>> need to use MAIL FROM domains (and HELO/EHLO domains for bounces) of
>> ptraveler.com or one of its subdomains in order to pass SPF from
>> DMARC’s perspective.
>> 
>> Hope this helps.
>> 
>> Andrew
>> 
>> On May 30, 2014, at 17:21 PM, Tomasz Chmielewski via dmarc-discuss
>> <dmarc-discuss at dmarc.org> wrote:
>> 
>> > Hi,
>> > 
>> > I've attached a few XML reports.
>> > 
>> > -- 
>> > Tomasz Chmielewski
>> > 
>> > 
>> > 
>> > On Fri, 30 May 2014 20:02:31 -0400
>> > Tim Draegen <tim at eudaemon.net> wrote:
>> > 
>> >> Tomasz, can you share the rest of the xml "record"?  Cant tell if
>> >> there is an alignment issue or not without that.
>> >> 
>> >> =- Tim
>> >> 
>> >> 
>> >>> On May 30, 2014, at 7:29 PM, Tomasz Chmielewski via dmarc-discuss
>> >>> <dmarc-discuss at dmarc.org> wrote:
>> >>> 
>> >>> 178.63.195.102 is allowed in SPF:
>> >>> 
>> >>> # dig +short TXT ptraveler.com
>> >>> "v=spf1 a mx ip4:178.63.195.102 ip6:2a01:4f8:120:22eb::1111
>> >>> ip4:46.4.130.2 ~all" "spf2.0/pra a mx ip4:178.63.195.102
>> >>> ip6:2a01:4f8:120:22eb::1111 ip4:46.4.130.2 ~all"
>> >>> 
>> >>> 
>> >>> And yet, hotmail sends:
>> >>> 
>> >>> <row>
>> >>> <source_ip>178.63.195.102</source_ip>
>> >>> <count>1</count>
>> >>> <policy_evaluated>
>> >>> <disposition>none</disposition>
>> >>> <dkim>fail</dkim>
>> >>> <spf>fail</spf>
>> >>> </policy_evaluated>
>> >>> </row>
>> >>> 
>> >>> 
>> >>> -- 
>> >>> Tomasz Chmielewski
>> >>> http://www.sslrack.com
>> >>> _______________________________________________
>> >>> dmarc-discuss mailing list
>> >>> dmarc-discuss at dmarc.org
>> >>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>> >>> 
>> >>> NOTE: Participating in this list means you agree to the DMARC Note
>> >>> Well terms (http://www.dmarc.org/note_well.html)
>> > 
>> > <google.com!ptraveler.com!1401062400!1401148799.xml><hotmail.com!ptraveler.com!1401058800!1401145200.xml><hotmail.com!ptraveler.com!1401318000!1401404400.xml><yahoo.com!ptraveler.com!1401062400!1401148799.xml>_______________________________________________
>> > dmarc-discuss mailing list
>> > dmarc-discuss at dmarc.org
>> > http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>> > 
>> > NOTE: Participating in this list means you agree to the DMARC Note
>> > Well terms (http://www.dmarc.org/note_well.html)
>> 
>
>
>
>-- 
>Tomasz Chmielewski
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://dmarc.org/pipermail/dmarc-discuss/attachments/20140603/ef37880f/attachment.html>


More information about the dmarc-discuss mailing list