It's also possible that they won't accept overly broad SPF assertions. Some people around the mail community have proposed that overly broad (details to be defined) assertions should be ignored or used as an abuse indicator in themselves. The extreme case would be the "+all" assertion :-)
--Kurt On Tue, Dec 3, 2019 at 7:28 AM Jason Carter via mailop <mailop@mailop.org> wrote: > Thanks for the feedback Al. I talked to Michael outside of the list, and > I am going to say this is something with QQ, and not very widespread. > Perhaps they have network/DNS lookup issues. > > > > I have DMARC reporting through Proofpoint, but QQ doesn’t send any > forensic data, so hard to tell what their real issue is. > > > > > > > > *Jason Carter* > > IT Manager > > Microsoft Enterprise Applications and Systems > > Information Technology Services | Florida State University > > *p* 850.645.8069 | *w* its.fsu.edu > > > > <https://www.facebook.com/floridastateits/> > <https://www.instagram.com/floridastateits/> > <https://twitter.com/floridastateITS> > > > > *From:* Al Iverson <aiver...@wombatmail.com> > *Sent:* Tuesday, December 3, 2019 10:05 AM > *To:* Jason Carter <jason.car...@fsu.edu> > *Cc:* mailop@mailop.org > *Subject:* Re: [mailop] QQ failing Office 365 emails for SPF? > > > > I, too, have recently seen QQ.com SPF failures that didn't seem to make > any sense. We ended up changing a custom SPF record for a client just to > see if it might help things (even though the original one passed with > various tests, but failed only at QQ). I'm waiting for a client's next send > to see if it has fixed things or not. > > > > Regards, > > Al Iverson > > > > On Mon, Dec 2, 2019 at 6:18 PM Jason Carter via mailop <mailop@mailop.org> > wrote: > > Included the relevant part in my original post, but here it is again in > its entirety. I took out any identifying email addresses. > > > > Your message to {blah blah blah}@qq.com <dengjingz...@qq.com> couldn't be > delivered. > > qq.com > <https://urldefense.com/v3/__http:/qq.com__;!!PhOWcWs!lHOJFDnHX3KAZhxb_ut8Y0Upd5dQdgjeMmtSCE2YXu36gq_YeO1xjOB5IJFgYnkBrg$> > couldn't > confirm that your message was sent from a trusted location. > > *Rhiannon.Paget* > > *Office 365* > > *blah blah blah* > > *Action Required* > > *Recipient* > > > > > > > > > > > > *SPF validation error* > > > > How to Fix It > > Your organization's email admin will have to diagnose and fix your > domain's email settings. Please forward this message to your email admin. > ------------------------------ > > > More Info for Email Admins > > *Status code: 550 5.7.23* > > This error occurs when Sender Policy Framework (SPF) validation for the > sender's domain fails. If you're the sender's email admin, make sure the > SPF records for your domain at your domain registrar are set up correctly. > Office 365 supports only one SPF record (a TXT record that defines SPF) for > your domain. Include the following domain name: *spf.protection.outlook.com > <https://urldefense.com/v3/__http:/spf.protection.outlook.com__;!!PhOWcWs!lHOJFDnHX3KAZhxb_ut8Y0Upd5dQdgjeMmtSCE2YXu36gq_YeO1xjOB5IJHsjSf0EA$>*. > If you have a hybrid configuration (some mailboxes in the cloud, and some > mailboxes on premises) or if you're an Exchange Online Protection > standalone customer, add the outbound IP address of your on-premises > servers to the TXT record. > > For more information and instructions about configuring SPF records see > Customize > an SPF record to validate outbound mail sent from your domain > <https://urldefense.com/v3/__https:/technet.microsoft.com/library/dn789058(v=exchg.150).aspx__;!!PhOWcWs!lHOJFDnHX3KAZhxb_ut8Y0Upd5dQdgjeMmtSCE2YXu36gq_YeO1xjOB5IJG_o1Kvqg$> > and > also External Domain Name System records for Office 365 > <https://urldefense.com/v3/__https:/support.office.com/article/External-Domain-Name-System-records-for-Office-365-c0531a6f-9e25-4f2d-ad0e-a70bfef09ac0*BKMK_SPFrecords__;Iw!!PhOWcWs!lHOJFDnHX3KAZhxb_ut8Y0Upd5dQdgjeMmtSCE2YXu36gq_YeO1xjOB5IJHZVUtHbw$> > . > > Original Message Details > > Created Date: > > 12/2/2019 7:38:53 PM > > Sender Address: > > {blah blah blah}@ringling.org <rhiannon.pa...@ringling.org> > > Recipient Address: > > {blah blah blah}@qq.com <dengjingz...@qq.com> > > Subject: > > RE: {subject went here....} > > > Error Details > > Reported error: > > *550 5.7.23 The message was rejected because of Sender Policy Framework > violation -> 550 DMARC check failed > [MTIzknf/jEeC0aTwbOXvrBiAcTvXxZqFXcru3oWyMZucp1BLJ8LQWCk= IP: > 40.107.82.82]. > http://service.mail.qq.com/cgi-bin/help?subtype=1&&no=1001508&&id=16 > <https://urldefense.com/v3/__http:/service.mail.qq.com/cgi-bin/help?subtype=1&&no=1001508&&id=16__;!!PhOWcWs!lHOJFDnHX3KAZhxb_ut8Y0Upd5dQdgjeMmtSCE2YXu36gq_YeO1xjOB5IJECZHM_3Q$>.* > > DSN generated by: > > BN6PR02MB2308.namprd02.prod.outlook.com > <https://urldefense.com/v3/__http:/BN6PR02MB2308.namprd02.prod.outlook.com__;!!PhOWcWs!lHOJFDnHX3KAZhxb_ut8Y0Upd5dQdgjeMmtSCE2YXu36gq_YeO1xjOB5IJGRnvvDoA$> > > Remote server: > > newxmmxszb50.qq.com > <https://urldefense.com/v3/__http:/newxmmxszb50.qq.com__;!!PhOWcWs!lHOJFDnHX3KAZhxb_ut8Y0Upd5dQdgjeMmtSCE2YXu36gq_YeO1xjOB5IJGZcIxaPg$> > > > > > > > > > > > > > > > > *Jason Carter* > > IT Manager > > Microsoft Enterprise Applications and Systems > > Information Technology Services | Florida State University > > *p* 850.645.8069 | *w* its.fsu.edu > > > > > > > ------------------------------ > > *From:* Michael Wise <michael.w...@microsoft.com> > *Sent:* Monday, December 2, 2019 7:11 PM > *To:* Jason Carter <jason.car...@fsu.edu>; mailop@mailop.org < > mailop@mailop.org> > *Subject:* RE: QQ failing Office 365 emails for SPF? > > > > > > Would need to see the NDR. > > > > Aloha, > > Michael. > > -- > > *Michael J Wise* > Microsoft Corporation| Spam Analysis > > "Your Spam Specimen Has Been Processed." > > Open a ticket for Hotmail > <https://urldefense.com/v3/__http:/go.microsoft.com/fwlink/?LinkID=614866__;!!PhOWcWs!gMrEEd5Gpg_cTtSvcJ4bq5ipPM6NSpK6TFoye6wXIoWqNuxsabHhFkTv6TqM-zeaVw$> > ? > > > > *From:* Jason Carter <jason.car...@fsu.edu> > *Sent:* Monday, December 2, 2019 4:08 PM > *To:* mailop@mailop.org; Michael Wise <michael.w...@microsoft.com> > *Subject:* [EXTERNAL] Re: QQ failing Office 365 emails for SPF? > > > > Well I am not talking about mail sent TO a Office 365 tenant. It was sent > FROM a Office 365 tenant to a @QQ.com address, and they bounced it for a > SPF failure, even though the SPF record for the sending domain clearly > includes the IP address they said failed SPF. > > > > > > > > > > *Jason Carter* > > IT Manager > > Microsoft Enterprise Applications and Systems > > Information Technology Services | Florida State University > > *p* 850.645.8069 | *w* its.fsu.edu > <https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Fits.fsu.edu*2F&data=02*7C01*7CMichael.Wise*40microsoft.com*7C3eef7b56156b485017bc08d77784dcab*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637109284834503704&sdata=Bo*2B8*2F7qAA4AYEkcHPp5sGrDdhNvlyeUs8mPR3Y6g*2BbE*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJQ!!PhOWcWs!gMrEEd5Gpg_cTtSvcJ4bq5ipPM6NSpK6TFoye6wXIoWqNuxsabHhFkTv6Trl5g03ag$> > > > > > > > ------------------------------ > > *From:* mailop <mailop-boun...@mailop.org> on behalf of Michael Wise via > mailop <mailop@mailop.org> > *Sent:* Monday, December 2, 2019 7:02 PM > *To:* mailop@mailop.org <mailop@mailop.org> > *Subject:* Re: [mailop] QQ failing Office 365 emails for SPF? > > > > > > At Microsoft, be that either mail sent to an Office365 tenant or a Hotmail > / Outlook customer, the DMARC p=reject will **NOT** generate a bounce. > > For many, many reasons. > > > > Primarily because the SPF/DKIM/DMARC checks are done **AFTER** the email > has been received, and the port 25 connection has been closed. > > Secondarily because, in light of the above, it would make backscatter > issues worse, and possibly result in a DDOS attack. > > Load concerns makes any other approach impractical. > > > > Aloha, > > Michael. > > -- > > *Michael J Wise* > Microsoft Corporation| Spam Analysis > > "Your Spam Specimen Has Been Processed." > > Open a ticket for Hotmail > <https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=http*3A*2F*2Fgo.microsoft.com*2Ffwlink*2F*3FLinkID*3D614866&data=02*7C01*7CMichael.Wise*40microsoft.com*7C3eef7b56156b485017bc08d77784dcab*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637109284834513661&sdata=ZwKYvnixZzdymjprTH2LrI4f74y8vmf*2Btef6teaxPDA*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSU!!PhOWcWs!gMrEEd5Gpg_cTtSvcJ4bq5ipPM6NSpK6TFoye6wXIoWqNuxsabHhFkTv6Tpvn3EB7g$> > ? > > > > *From:* mailop <mailop-boun...@mailop.org> *On Behalf Of *Jason Carter > via mailop > *Sent:* Monday, December 2, 2019 3:56 PM > *To:* mailop@mailop.org > *Subject:* [外部] [mailop] QQ failing Office 365 emails for SPF? > > > > Any using Office 365 that has a domain at DMARC=REJECT see any bounce > backs for mail sent to QQ.com addresses for SPF failures, when they IP > address they mentioned failed is clearly in the SPF record? > > > > Example: > > > > Reported error: > > *550 5.7.23 The message was rejected because of Sender Policy Framework > violation -> 550 DMARC check failed > [MTIzknf/jEeC0aTwbOXvrBiAcTvXxZqFXcru3oWyMZucp1BLJ8LQWCk= IP: > 40.107.82.82]. > **http://service.mail.qq.com/cgi-bin/help?subtype=1&&no=1001508&&id=16 > <https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=http*3A*2F*2Fservice.mail.qq.com*2Fcgi-bin*2Fhelp*3Fsubtype*3D1*26*26no*3D1001508*26*26id*3D16&data=02*7C01*7CMichael.Wise*40microsoft.com*7C3eef7b56156b485017bc08d77784dcab*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637109284834513661&sdata=gh*2Bk9XHsY14nJTaX4SYj0CwJs4afL8l8a8uhHLZFjeQ*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSU!!PhOWcWs!gMrEEd5Gpg_cTtSvcJ4bq5ipPM6NSpK6TFoye6wXIoWqNuxsabHhFkTv6TqfQUeBBw$>* > > DMARC指引_QQ邮箱帮助中心 > <https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=http*3A*2F*2Fservice.mail.qq.com*2Fcgi-bin*2Fhelp*3Fsubtype*3D1*26*26no*3D1001508*26*26id*3D16&data=02*7C01*7CMichael.Wise*40microsoft.com*7C3eef7b56156b485017bc08d77784dcab*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637109284834513661&sdata=gh*2Bk9XHsY14nJTaX4SYj0CwJs4afL8l8a8uhHLZFjeQ*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSU!!PhOWcWs!gMrEEd5Gpg_cTtSvcJ4bq5ipPM6NSpK6TFoye6wXIoWqNuxsabHhFkTv6TqfQUeBBw$> > > 一、DMARC(Domain-based Message Authentication,Reporting & Conformance)DMARC > 是一种基于现有的SPF和DKIM > 协议的可扩展电子邮件认证协议,在邮件收发双方建立了邮件反馈机制,便于邮件发送方和邮件接收方共同对域名的管理进行完善和监督... > > service.mail.qq.com > <https://urldefense.com/v3/__http:/service.mail.qq.com__;!!PhOWcWs!lHOJFDnHX3KAZhxb_ut8Y0Upd5dQdgjeMmtSCE2YXu36gq_YeO1xjOB5IJFYb3SXVA$> > > *.* > > DSN generated by: > > BN6PR02MB2308.namprd02.prod.outlook.com > <https://urldefense.com/v3/__http:/BN6PR02MB2308.namprd02.prod.outlook.com__;!!PhOWcWs!lHOJFDnHX3KAZhxb_ut8Y0Upd5dQdgjeMmtSCE2YXu36gq_YeO1xjOB5IJGRnvvDoA$> > > Remote server: > > newxmmxszb50.qq.com > <https://urldefense.com/v3/__http:/newxmmxszb50.qq.com__;!!PhOWcWs!lHOJFDnHX3KAZhxb_ut8Y0Upd5dQdgjeMmtSCE2YXu36gq_YeO1xjOB5IJGZcIxaPg$> > > > > > > 40.107.82.82 is within 40.107.0.0/16 > <https://urldefense.com/v3/__http:/40.107.0.0/16__;!!PhOWcWs!lHOJFDnHX3KAZhxb_ut8Y0Upd5dQdgjeMmtSCE2YXu36gq_YeO1xjOB5IJEVAdinVQ$>, > which is in the SPF record they ask you to use: > spf.protection.outlook.com > <https://urldefense.com/v3/__http:/spf.protection.outlook.com__;!!PhOWcWs!lHOJFDnHX3KAZhxb_ut8Y0Upd5dQdgjeMmtSCE2YXu36gq_YeO1xjOB5IJHsjSf0EA$> > > > > > > > > > > > > *Jason Carter* > > IT Manager > > Microsoft Enterprise Applications and Systems > > Information Technology Services | Florida State University > > *p* 850.645.8069 | *w* its.fsu.edu > <https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Fits.fsu.edu*2F&data=02*7C01*7CMichael.Wise*40microsoft.com*7C3eef7b56156b485017bc08d77784dcab*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637109284834523617&sdata=04lipEyKZS*2B*2BRoxWLdeQWUC0S70wBFdHBS362WVsyIg*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUl!!PhOWcWs!gMrEEd5Gpg_cTtSvcJ4bq5ipPM6NSpK6TFoye6wXIoWqNuxsabHhFkTv6TqSM-sG8A$> > > > > > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > <https://urldefense.com/v3/__https:/chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop__;!!PhOWcWs!lHOJFDnHX3KAZhxb_ut8Y0Upd5dQdgjeMmtSCE2YXu36gq_YeO1xjOB5IJHFYEQZsg$> > > > > > -- > > al iverson // wombatmail // chicago > http://www.aliverson.com > <https://urldefense.com/v3/__http:/www.aliverson.com__;!!PhOWcWs!lHOJFDnHX3KAZhxb_ut8Y0Upd5dQdgjeMmtSCE2YXu36gq_YeO1xjOB5IJELojRWqA$> > http://www.spamresource.com > <https://urldefense.com/v3/__http:/www.spamresource.com__;!!PhOWcWs!lHOJFDnHX3KAZhxb_ut8Y0Upd5dQdgjeMmtSCE2YXu36gq_YeO1xjOB5IJGTP45J-Q$> > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop >
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
