|
FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc. |
|
Thread Tools |
22 Apr 2020, 11:34 PM | #1 |
Essential Contributor
Join Date: Jan 2017
Posts: 278
|
Fastmail is deliberately causing some mail to fail SPF
I recently noticed that most of my outgoing mail was failing SPF. It turns out that it's deliberate.
FM have two pools of outgoing servers named out<number>-smtp.messagingengine.com forward<number>-smtp.messagingengine.com only the out* pool is included in the default spf record based on spf.messagingengine.com. Sending forwarded mail through the forward* servers is legitimate, you don't want mail that failed SPF for an FM domain on the way in to pass on the way out. But it turns-out that FM are using these servers for other mail. The two reasons I know about are:
The first is easily worked around by using include:spfall.messagingengine.com in the domain's SPF record. This is what's used for SRS forwarded mail and for the server HELO identities. However, it gets much worse. This isn't just about SPF, the forward* servers have lower and more volatile reputations than the out* servers. They all frequently drop below 70 on senderscore and forward3's reputation dropped as low as 18 last Friday. Personally never seen a legitimate email below the 50-59 range, most reputable servers score 95-100. Senderscore is likely the tip of the iceberg. Poor reputations may be why some people are having problems with forwarding. Apparently this is done to mitigate spoofing. FM has in the past allowed any user to spoof any other user and still pass SPF. IMO accepting submitted mail and then silently disavowing it in SPF and sabotaging it's deliverability is not the way to go. I think 2. is particularly bad for those of us that mostly use mail clients. Note that to use random subdomain addresses from a third-party mail client you need to create a wildcard webmail identity like *@somealias.fastmail.com. |
23 Apr 2020, 12:37 AM | #2 |
Master of the @
Join Date: Feb 2017
Location: USA
Posts: 1,685
|
Does Pobox.com do the same thing? Their main business is built around forwarding.
|
23 Apr 2020, 01:08 AM | #3 | |
Essential Contributor
Join Date: Jan 2017
Posts: 278
|
Quote:
A lot of providers have tiers of outgoing servers to deal with accounts that have probably been hacked etc. The main point of this thread was the Kafkaesque use of these forward servers, when they punish us for breaking rules they aren't telling us about. |
|
23 Apr 2020, 01:19 AM | #4 | |
Master of the @
Join Date: Feb 2017
Location: USA
Posts: 1,685
|
Quote:
|
|
23 Apr 2020, 02:03 AM | #5 | |
Essential Contributor
Join Date: Jan 2017
Posts: 278
|
Quote:
|
|
23 Apr 2020, 03:10 AM | #6 | |
Master of the @
Join Date: Feb 2017
Location: USA
Posts: 1,685
|
Quote:
|
|
4 May 2020, 05:26 AM | #7 |
Essential Contributor
Join Date: Oct 2008
Posts: 212
|
OP: Thanks so much for posting this!
I'm quite familiar with "spf.messagingengine.com", as I specify it in my domains' SPF records, but what is "spfall.messagingengine.com"? I can't find mention of it in FM docs. Gosh, this might explain why some of my outgoing emails fail SPF (I send email from FM webmail). I have a handful of domains that are MX'd into FM, but the DNS is hosted elsewhere, so of course I need to manage the SPF records myself. I'm tempted now to update them from "spf..." to "spfall...", but I'm curious to know more about this undocumented FM SPF specification. If anyone has any more info on this, I'd love to know. Thanks. |
4 May 2020, 04:28 PM | #8 | |
The "e" in e-mail
Join Date: Apr 2011
Location: Manchester UK
Posts: 2,616
|
I haven't heard of "spfall.messagingengine.com" and assumed it was a typo.
Fastmail creates the SPF record as: Quote:
https://dmarcian.com/what-is-the-dif...f-all-and-all/ |
|
4 May 2020, 11:12 PM | #9 |
Essential Contributor
Join Date: Jan 2017
Posts: 278
|
spfall.messagingengine.com is undocumented, unlike spf.messagingengine.com it contains all the outgoing servers. It has nothing to do with ~all and -all.
When you use SRS for an alias your outgoing mail still goes via the forward* servers, but the envelope sender address is rewritten to use the subdomain 'srs.messagingengine.com' which has the TXT record: "v=spf1 include:spfall.messagingengine.com -all" If you are using FM to send outgoing mail for a domain that isn't hosted there, e.g. your incoming mail is forwarded to FM or you're using FM as a smarthost for a mail server, it makes sense to switch to spfall. But really you should consider moving as you'll still be paying a premium rate for a second class service. Even if none of the above applies you still need to keep your webmail identities up to date if you ever use a third-party mail client. |
5 May 2020, 09:38 AM | #10 | |
Essential Contributor
Join Date: Oct 2008
Posts: 212
|
Quote:
Thank you much for that supplementary info! |
|
30 May 2020, 01:07 AM | #11 |
Essential Contributor
Join Date: Jan 2017
Posts: 278
|
When I was testing this I created an account in claws-mail that sends through FM's server using an Fastmail alias without an FM identity. This will go out using the low-reputation forward* servers.
I've just started a trial of Namecheap's email hosting. Today I was testing the account's filtering rules and I used the above claws-mail account to send test emails (forgetting why I created it). Everything sent with that claws-mail account is being marked as spam by SpamExperts and ending-up in the spam folder. Mail that goes through the out* servers is not. |
8 Jun 2020, 01:27 AM | #12 | ||
Junior Member
Join Date: Jan 2007
Posts: 3
|
I submitted a ticket to Fastmail support regarding this issue 2 about weeks ago. After 3 days I received a reply that my case would be escalated to a senior agent, after another 4 days I received this reply
Quote:
Secondly, the reply seems to copied and pasted as it ignores the details I gave when I opened the ticket, namely that my emails were bouncing with a hard SPF fail by some recipient servers. The SPF records for my domains (I have about half a dozen) included spf.messagingengine.com -all and that worked always fine for many years, but since around 20 April all my emails showed hard fail (I only became aware of this a couple of weeks ago when I got a bounce for an important email I wanted so send, but I checked other emails in a backup account which is bcc'd for all emails I sent). The reply to the ticket at least confirmed what SideShowBob said, namely that they have effectively disabled SPF records for those accounts that have only sending identities for their domains but don't have their domains MX records hosted with them. Now the agent suggested to do the latter, but when I go into my account it says 'Custom domains are not allowed with your current plan. Upgrade to add your own domain.' which would mean I have to upgrade the 'Standard' account costing $50 per year. This is completely unacceptable having had SPF working for all those years for $20 per year (I still have been on the 'Legacy' 'Full' package for the last years, they only recently changed this to the new 'Basic' package for which they'll charge $30 next time anyway. And by the way, if you want to have DKIM signed for your own domains you have to take out the $50 package as well. Presently they sign it only for their own domain, which isn't really what you want. I find what Fastmail have done here (without warning) is not only completely unacceptable but but puzzling, because one can add all the servers they use to your SPF record manually Quote:
Thomas |
||
Thread Tools | |
|
|