Thanks for the insights Brandon (everyone else in the group as well). Appreciate your time. should be simple enough for us to make a a change and stop allowing for underscores.
On Wed, Nov 18, 2015 at 5:37 PM, Brandon Long <bl...@google.com> wrote: > I1118 16:23:16.785929 spf_checker.cc:520] Invalid helo domain: > o1.mail_sg1.thehubpeople.com > > underscores in domain names are not valid for smtp... and the ABNF in rfc > 5321 doesn't allow it for HELO arguments either. > > Now, whether we should be that anal, yeah, doesn't quite seem worth it, > especially since we don't need to fall back to using the HELO domain for > this, we're just validating all of the arguments to our spfchecker up front. > > We just got tripped up ourselves about this because we were using > underscore in DKIM key names, and Ironports were refusing them, so even if > we fixed it, we might not be the only folks you have issues with. > > The best guess stuff in the comment seems all bizarre, a poor interface > from the spf check code back to smtp, doesn't have a concept of "invalid > spf check request" which is what we're basically saying here. Our spf > check code predates me, which is saying something. > > The number of messages we accept from transactions with an underscore in > the HELO argument is pretty vanishingly small. > > Brandon > > > On Wed, Nov 18, 2015 at 4:11 PM, Luke Martinez <luke.marti...@sendgrid.com > > wrote: > >> I actually didn't mean to obfuscate the domain...Mistakenly copy and >> pasted from a conversation with a different group. Obviously didn't take >> much to figure out the domain in question... >> >> Its interesting that the issue persists..Here is a header from a test >> message I sent just minutes ago...same issue. >> >> Seems like gmail is having trouble fetching the records for some reason. >> >> Delivered-To: luke.marti...@sendgrid.com >> Received: by 10.37.10.5 with SMTP id 5csp1454076ybk; >> Wed, 18 Nov 2015 16:06:53 -0800 (PST) >> X-Received: by 10.107.47.28 with SMTP id j28mr5555944ioo.168.1447891594041; >> Wed, 18 Nov 2015 16:06:34 -0800 (PST) >> Return-Path: >> <bounces+2035510-7255-luke.martinez=sendgrid....@email.thehubpeople.com> >> Received: from o1.mail_sg1.thehubpeople.com (o1.mail_sg1.thehubpeople.com. >> [167.89.67.186]) >> by mx.google.com with ESMTPS id >> l102si8090776iod.142.2015.11.18.16.06.33 >> for <luke.marti...@sendgrid.com> >> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); >> Wed, 18 Nov 2015 16:06:33 -0800 (PST) >> Received-SPF: softfail (google.com: best guess record for domain of >> transitioning >> bounces+2035510-7255-luke.martinez=sendgrid....@email.thehubpeople.com does >> not designate 167.89.67.186 as permitted sender) client-ip=167.89.67.186; >> Authentication-Results: mx.google.com; >> spf=softfail (google.com: best guess record for domain of >> transitioning >> bounces+2035510-7255-luke.martinez=sendgrid....@email.thehubpeople.com does >> not designate 167.89.67.186 as permitted sender) >> smtp.mailfrom=bounces+2035510-7255-luke.martinez=sendgrid....@email.thehubpeople.com; >> dkim=pass header.i=@thehubpeople.com; >> dmarc=pass (p=NONE dis=NONE) header.from=thehubpeople.com >> DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=thehubpeople.com; >> h=content-type:from:mime-version:subject:to; s=m1; >> bh=G2iZV5vFKTfsKWLw4qSi713I8u0=; b=JHzqGRs5nxiMeg5ehVfoE7EaEHNB/ >> exBjskedL7iQDWElEr1smQujnbapPXorReWUR2fCzEKMsOUCgO6OpXuZPCYiaVTL >> iiWC5mv5o/jc0z8NMoXt0PIu4367BP1mlei23nSDHh1GuMoQylt0dC9JsdjKjvBO >> BxfG5nsjUOodaM= >> Received: by filter0486p1mdw1.sendgrid.net with SMTP id >> filter0486p1mdw1.17942.564D128461 >> 2015-11-19 00:06:28.743096475 +0000 UTC >> Received: from MjAzNTUxMA (o16789125x234.outbound-mail.sendgrid.net >> [167.89.125.234]) >> by ismtpd0003p1iad1.sendgrid.net (SG) with HTTP id >> nueVgwhYQ16eFpprFkAAZA >> for <luke.marti...@sendgrid.com>; Thu, 19 Nov 2015 00:06:28.987 +0000 >> (UTC) >> Content-Type: multipart/alternative; >> boundary=f88976723345e813177149e6bfa1985024fe12bf494ae2852e2ba0395276 >> Date: Thu, 19 Nov 2015 00:06:28 +0000 >> From: managem...@thehubpeople.com >> Mime-Version: 1.0 >> Subject: A Test From SendGrid >> To: luke.marti...@sendgrid.com >> Message-ID: <nuevgwhyq16efpprfka...@ismtpd0003p1iad1.sendgrid.net> >> X-SG-EID: >> bmBsS0SGvj5DV4MzWktq1SFvXko3/0Ze1iVVFHnU9JhhIV+69vl2/ow+yjVFsFlRN7LD+HYXWm3J3m >> >> 3xFRZWCKLz7+3aGdiDkJu2/jRf6tFH/QQ8gqixM5mBceuCrtGYZx5IH0LooZiotfZ3p7SrydYYE9bz >> D6ZNepacL8eFB1dFAQ6ka3YxJQ++VjVnkNWb >> >> >> >> On Wed, Nov 18, 2015 at 4:01 PM, Derek Diget < >> derek.diget+mai...@wmich.edu> wrote: >> >>> >>> On Wed, 18 Nov 2015 at 15:33 -0700, Luke Martinez wrote: >>> =>Hey team, >>> => >>> =>I've got an interesting SPF softfail occurring for one of our senders. >>> => >>> =>This softfail is readily repeatable and seems to be isolated to this >>> single >>> =>sender. >>> => >>> =>All necessary records are in place, and their mail passes SPF at all >>> major >>> =>inbox providers other than gmail. >>> => >>> =>Last resort seems to be a DNS lookup failure on Gmail's side. Can >>> anyone >>> =>see if I'm missing something silly? >>> >>> With SPF records there is no need to obfuscate the sending domain >>> since it makes troubleshooting harder to impossible. (See many posts on >>> SPF-Help.) >>> >>> Here is what I see right now[1]. >>> >>> Running SPF query with: >>> IP address: 167.89.67.186 >>> Domain: email.thehubpeople.com >>> Sender: bounces+2035510-7255-luke.martinez= >>> sendgrid....@email.thehubpeople.com (local-part: >>> bounces+2035510-7255-luke.martinez=sendgrid.com) >>> HELO Domain: o1.mail_sg1.thehubpeople.com >>> >>> 17:50:16.94: >>> ---------------------------------------------------------------- >>> 17:50:16.94: SPFcheck_host called: >>> 17:50:16.94: source ip = 167.89.67.186 >>> 17:50:16.94: domain = email.thehubpeople.com >>> 17:50:16.94: sender = bounces+2035510-7255-luke.martinez= >>> sendgrid....@email.thehubpeople.com >>> 17:50:16.94: local_part = bounces+2035510-7255-luke.martinez= >>> sendgrid.com >>> 17:50:16.94: helo_domain = o1.mail_sg1.thehubpeople.com >>> 17:50:16.94: >>> 17:50:16.94: Looking up "v=spf1" records for email.thehubpeople.com >>> 17:50:16.94: DNS query status: Pass >>> 17:50:16.94: "v=spf1 ip4:167.89.67.186 include:sendgrid.net ~all" >>> 17:50:16.94: >>> 17:50:16.94: Parsing mechanism: " ip4 : 167.89.67.186" >>> 17:50:16.94: Assuming a Pass prefix >>> 17:50:16.94: Comparing against 167.89.67.186 >>> 17:50:16.94: Matched; returning Pass >>> 17:50:16.95: Mechanism matched; returning Pass >>> 17:50:16.95: >>> 17:50:16.95: Parsing mechanism: " include : sendgrid.net" (not >>> evaluated) >>> 17:50:16.95: >>> 17:50:16.95: Parsing mechanism: "~ all : " (not evaluated) >>> 17:50:16.95: >>> 17:50:16.95: SPFcheck_host is returning Pass >>> 17:50:16.95: >>> ---------------------------------------------------------------- >>> >>> So, a SPF MailFrom check would pass. >>> >>> >>> 1: Who knows what DNS looked like earlier (and what Google might have >>> cached.) If I am reading the SOA record the serial number is "23" which >>> doesn't leak any info on when a change was made. :( >>> >>> -- >>> *********************************************************************** >>> Derek Diget Office of Information Technology >>> Western Michigan University - Kalamazoo Michigan USA - www.wmich.edu/ >>> *********************************************************************** >>> >>> >>> >>> >>> =>Below is a full header: >>> => >>> =>> Delivered-To: luke.marti...@sendgrid.com >>> =>> Received: by 10.37.10.5 with SMTP id 5csp545399ybk; >>> =>> Tue, 17 Nov 2015 06:47:00 -0800 (PST) >>> =>> X-Received: by 10.107.10.233 with SMTP id >>> =>> 102mr38147900iok.31.1447771620037; >>> =>> Tue, 17 Nov 2015 06:47:00 -0800 (PST) >>> =>> Return-Path: <bounces+2035510-7255-luke.martinez= >>> =>> sendgrid....@email.domain.com> >>> =>> Received: from o1.mail_sg1.DOMAIN.com (o1.mail_sg1.DOMAIN.com. >>> =>> [167.89.67.186]) >>> =>> by mx.google.com with ESMTPS id >>> =>> f11si24972237ioj.131.2015.11.17.06.46.59 >>> =>> for <luke.marti...@sendgrid.com> >>> =>> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 >>> bits=128/128); >>> =>> Tue, 17 Nov 2015 06:46:59 -0800 (PST) >>> =>> Received-SPF: softfail (google.com: best guess record for domain of >>> =>> transitioning bounces+2035510-7255-luke.martinez= >>> =>> sendgrid....@email.domain.com does not designate 167.89.67.186 as >>> =>> permitted sender) client-ip=167.89.67.186; >>> =>> Authentication-Results: mx.google.com; >>> =>> spf=softfail (google.com: best guess record for domain of >>> =>> transitioning bounces+2035510-7255-luke.martinez= >>> =>> sendgrid....@email.domain.com does not designate 167.89.67.186 as >>> =>> permitted sender) smtp.mailfrom=bounces+2035510-7255-luke.martinez= >>> =>> sendgrid....@email.domain.com; >>> =>> dkim=pass header.i=@DOMAIN.com; >>> =>> dmarc=pass (p=NONE dis=NONE) header.from=DOMAIN.com >>> =>> DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=DOMAIN.com; >>> =>> h=content-type:from:mime-version:subject:to; s=m1; >>> =>> bh=9pEwAB7wqoG5R88T7P/hW0cn0vg=; b=nU5wIVQOhrCw9obvdFNePBXYVtVRZ >>> =>> w4ZRkebUzg+gPmeOPPPVY97NnYUJvg0wSX4nxgoBZCeORxpfQgPGlurZbL4cbNDH >>> =>> kVZJ85hrHCCNxe2mgqSj6WPES1BppblBwLeeCi3I4/YVMrZInckQ+EoBX/JtV+H8 >>> =>> f1E8xty32c/sSQ= >>> =>> Received: by filter0494p1mdw1.sendgrid.net with SMTP id >>> =>> filter0494p1mdw1.32759.564B3DCA2A >>> =>> 2015-11-17 14:46:34.302768619 +0000 UTC >>> =>> Received: from MjAzNTUxMA (o16789125x222.outbound-mail.sendgrid.net >>> =>> [167.89.125.222]) >>> =>> by ismtpd0006p1iad1.sendgrid.net (SG) with HTTP id >>> =>> Qc2SQ2SmT1GH_bTla6DiMg >>> =>> for <luke.marti...@sendgrid.com>; Tue, 17 Nov 2015 14:46:34.248 >>> +0000 >>> =>> (UTC) >>> =>> Content-Type: multipart/alternative; >>> =>> boundary=3a3da2a7878431dd1b945889881ae3216018141f8c0222fd3cf0d5daa3b3 >>> >>> _______________________________________________ >>> mailop mailing list >>> mailop@mailop.org >>> http://chilli.nosignal.org/mailman/listinfo/mailop >>> >> >> >> >> -- >> >> Luke Martinez >> SendGrid Deliverability Consultant >> 520.400.5693 >> >> _______________________________________________ >> mailop mailing list >> mailop@mailop.org >> http://chilli.nosignal.org/mailman/listinfo/mailop >> >> > -- Luke Martinez SendGrid Deliverability Consultant 520.400.5693
_______________________________________________ mailop mailing list mailop@mailop.org http://chilli.nosignal.org/mailman/listinfo/mailop