DMARC and SPF updates
A while back I added a DMARC entry in DNS for my @gardiner.net.au domain. The existence of this entry then means I get daily email reports which include data from a number of email servers (eg. Google, Yahoo) about emails received from my domain and whether they were regarded as legitimate or spam. I don’t receive copies of the emails themselves – just a summary of how many emails the destination site thought were legitimate and how many were rejected because they thought they were spam.
Microsoft have just announced that they too are now sending DMARC reports, so this prompted me to review my current SPF and DMARC settings to ensure that they’re working properly.
The trouble with the DMARC reports are that they come via email with an attached zipped .XML file, which means you can’t just view them… you have to download them, unzip them, then open it in IE (or Notepad), and scan through the XML to try and make sense of it. Wouldn’t it be nice if there was a tool or service that summarised this for you?
Well it turns out there are some. I’ve decided try try two out - http://dmarcian.com and DMARC Analyzer.
Both of these services allow you to upload existing DMARC reports or set up email forwarding to automatically send the reports directly. You can then log in and view a summary.
I uploaded the data from the last 7 days. Here’s some examples of the kind of report you get from each service:
The details for data from the 9th of December:
GARDINER.NET.AU - 3 msgs, 3 IPs
SPF-Authorized Servers - 2 groups , 2 msgs, 2 IPs, 100% auth’d
Other Servers - 1 group , 1 msg, 1 IP, 0% auth’d
126.96.36.199 (bay0-omc1-s14.bay0.hotmail.com), 1 msg, 0% auth’d
- 1 msg, disposition: None (monitor only) [none], DMARC-DKIM: fail (raw: none, d=none), DMARC-SPF: fail (raw: pass, dom: hotmail.com)
I was curious that both of them flagged a potential problem with an email. Sometimes this can be because it is actually spam – an email sent from an address that was not part of the authorised sender list as defined in the SPF record. But in this case, the error indicated that the email did come from a legitimate source.
Next step to confirm that my SPF record is correct. A quick trip to the SPF Record Testing Tools confirmed that yes, my SPF record was in effect, but that there was also an error message I hadn’t noticed previously:
PermError SPF Permanent Error: Too many DNS lookups
So it turns out that there are limits on how many DNS lookups are allowed for SPF records. 10 to be precise.
My old SFP record was:
v=spf1 a mx ip4:188.8.131.52/24 include:aspmx.googlemail.com include:hotmail.com include:gmail.com include:live.com -all
It does looks like there’s some redundancy there with two similar includes covering GMail and another two for Hotmail/Live. Simplifying things down (and hopefully not losing any accuracy) I’ve changed the record to this:
v=spf1 a mx ip4:184.108.40.206/24 include:hotmail.com include:_spf.google.com ~all
This now passes validation. Note that I’ve reverted back to ~all (a ‘Soft’ fail which means that recipients won’t outright reject emails if there is a problem with the new rule). I’ll switch back to -all (a ‘hard’ fail) after a week or two once I’m happy that nothing is broken!
I’ll also be interested to see if the DMARC reports contain passing results for the hotmail emails.
Passed 4, failed 3
It seems my ‘perfect record’ of passing Microsoft exams has finally come to an end.
During August and September a large number of new exams were made available for ‘beta’ testing before their public release. Somehow I managed to take 7 exams over this time – most relating to developing Windows 8 applications.
The final results are now published I’ve passed:
- 70-483: Programming in C#
- 70-485: Advanced Windows Store App Development using C#
- 70-486: Developing ASP.NET MVC 4 Web Applications
- 70-487: Developing Windows Azure and Web Services
But unfortunately I didn’t do so well for the remainder:
- 70-484: Essentials of Developing Windows Store Apps using C#
Failing the HTML5 exams wasn’t much of a surprise. I really didn’t know the technology very well at all, so it was reasonable that I didn’t pass. I figured that it would still be a good learning experience to do the exams, and hopefully I’d pick up a few concepts along the way.
70-484 was a bit more disappointing, but I’m pleased that by the time I took 70-485 I’d had a chance to spend a bit more time playing around with developing for Windows 8 – and that obviously paid off. I think I would like to do that one again in a few months, most likely after I’ve published some apps to the Windows 8 Store – that should then qualify me for the MCSD Windows Store Apps.
One side-benefit of passing 70-483 means that I achieved the following certification: Programming in C# Specialist
One day during the school holidays, I organised to ride with my two oldest kids down part of the veloway and finishing up at Christies Beach. They both rode very well, and we met up with the rest of the family and Narelle’s parents for fish and chips overlooking the sea.
I wouldn’t put myself in the same category as Jen but I think it’s still a nice photo.