Hotmail moves to SPF authentication

Hotmail has recently stopped using Sender ID for email authentication and switched to authenticating with SPF. The protocol differences between SenderID and SPF were subtle and most senders who were getting a pass at Hotmail were already publishing SPF records.
From an email in my inbox from September:

Authentication-Results: hotmail.com; sender-id=pass (sender IP is 65.55.240.72) header.from=******@microsoft.discoverbing.com; dkim=fail (testing mode) header.d=microsoft.discoverbing.com; x-hmca=pass
X-SID-PRA: *********@microsoft.discoverbing.com
X-SID-Result: Pass
X-DKIM-Result: Fail(t)
X-AUTH-Result: PASS

From an email I just sent myself:

Authentication-Results: hotmail.com; spf=pass (sender IP is 209.85.214.174) smtp.mailfrom=*****@gmail.com; dkim=pass header.d=gmail.com; x-hmca=pass
X-SID-PRA: ****@gmail.com
X-AUTH-Result: PASS
X-SID-Result: PASS

And, since we’re here, let’s look at how to read the Authentication-Results line.
Authentication-Results: hotmail.com; spf=pass (sender IP is 209.85.214.174) smtp.mailfrom=*****@gmail.com; dkim=pass header.d=gmail.com; x-hmca=pass
Authentication-Results: header added by Hotmail to give authentication results.
hotmail.com: domain doing the authenticating.
spf=pass (sender IP is 209.85.214.174) smtp.mailfrom=*****@gmail.com: Authentication results for SPF. This tells you what IP Hotmail received the email from, as well SMTP.mailfrom address they used when checking the SPF. In this case, 209.85.214.174 is a google IP and is authorized to use gmail in the SMTP.mailfrom / return path / envelope from.
dkim=pass header.d=gmail.com: Says that the DKIM signature validated and the signing entity (d=) is gmail.com.
 
 

Data, data, elections and data
Fun with Subject lines

Related Posts

DMARC: an authentication framework

A new email industry group was announced this morning. DMARC is a group of industry participants, including large senders, large receivers and relevant intermediaries working on a framework to reduce the harm from phishing.
DMARC is working on a standard to allow senders to publish sending policies and receivers to act on those policies. Currently, senders who want receivers to not deliver unauthenticated email have to negotiate private agreements with the ISPs to make that happen. This is a way to expand the existing programs. Without a published standard, the overhead in managing individual agreements would quickly become prohibitive.
It is an anti-phishing technique built on top of current authentication processes. This is the “next step” in the process and one that most people involved in the authentication process were anticipating and planning for. I’m glad to see so many big players participating.
 

Read More

SPF records: not really all that important

I’ve been working through some Hotmail issues with a client over the last few months. One of the things that has become clear to me is how little Hotmail actually does with SPF records. In fact, Hotmail completely ignored my client’s SPF record and continued to deliver email into the inbox.
This isn’t just a sender that had a “well, we think most of our email will come from these IPs but aren’t telling you to throw away email that doesn’t” record. In fact, this client specifically said “if email doesn’t come from this /28 range of email addresses, then it is unauthorized and should be thrown away.” The email was being sent from an IP outside of the range listed in the SPF record.
As part of the process involved in fixing the delivery problems, I had the client update their SPF record and then I enrolled their domain in the SenderID program at Hotmail. This didn’t have any effect, though. Hotmail is still not checking SPF for this client. When I asked Hotmail what was going on they said, “We do not do lookups on every sender’s mail.”
So, there you have it folks. The last bastion of SPF/SenderID has abandoned the technology. Even a totally invalid SPF record doesn’t matter, mail can still reach the inbox at Hotmail.

Read More

DKIM is Done

This was posted to the IETF DKIM Working Group mailing list this morning:

Read More