EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > FastMail Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc.

Reply
 
Thread Tools
Old 22 Apr 2020, 11:34 PM   #1
SideshowBob
Essential Contributor
 
Join Date: Jan 2017
Posts: 278
Fastmail is deliberately causing some mail to fail SPF

I recently noticed that most of my outgoing mail was failing SPF. It turns out that it's deliberate.

FM have two pools of outgoing servers named

out<number>-smtp.messagingengine.com
forward<number>-smtp.messagingengine.com

only the out* pool is included in the default spf record based on spf.messagingengine.com.

Sending forwarded mail through the forward* servers is legitimate, you don't want mail that failed SPF for an FM domain on the way in to pass on the way out.

But it turns-out that FM are using these servers for other mail. The two reasons I know about are:
  1. Mail from non-hosted domains (even if the SPF includes spf.messagingengine.com)
  2. SMTP submitted mail without a corresponding webmail identity (even if it's your main address or a configured alias)

The first is easily worked around by using include:spfall.messagingengine.com in the domain's SPF record. This is what's used for SRS forwarded mail and for the server HELO identities.

However, it gets much worse. This isn't just about SPF, the forward* servers have lower and more volatile reputations than the out* servers. They all frequently drop below 70 on senderscore and forward3's reputation dropped as low as 18 last Friday. Personally never seen a legitimate email below the 50-59 range, most reputable servers score 95-100. Senderscore is likely the tip of the iceberg. Poor reputations may be why some people are having problems with forwarding.

Apparently this is done to mitigate spoofing. FM has in the past allowed any user to spoof any other user and still pass SPF. IMO accepting submitted mail and then silently disavowing it in SPF and sabotaging it's deliverability is not the way to go.

I think 2. is particularly bad for those of us that mostly use mail clients.

Note that to use random subdomain addresses from a third-party mail client you need to create a wildcard webmail identity like *@somealias.fastmail.com.
SideshowBob is offline   Reply With Quote

Old 23 Apr 2020, 12:37 AM   #2
TenFour
Master of the @
 
Join Date: Feb 2017
Location: USA
Posts: 1,685
Does Pobox.com do the same thing? Their main business is built around forwarding.
TenFour is offline   Reply With Quote
Old 23 Apr 2020, 01:08 AM   #3
SideshowBob
Essential Contributor
 
Join Date: Jan 2017
Posts: 278
Quote:
Originally Posted by TenFour View Post
Does Pobox.com do the same thing? Their main business is built around forwarding.
I don't know but I would guess that they do it more intelligently.

A lot of providers have tiers of outgoing servers to deal with accounts that have probably been hacked etc.

The main point of this thread was the Kafkaesque use of these forward servers, when they punish us for breaking rules they aren't telling us about.
SideshowBob is offline   Reply With Quote
Old 23 Apr 2020, 01:19 AM   #4
TenFour
Master of the @
 
Join Date: Feb 2017
Location: USA
Posts: 1,685
Quote:
the Kafkaesque use of these forward servers, when they punish us for breaking rules they aren't telling us about.
There's a lot more of that going on with email than we realize, and not just at Fastmail. The Internet is full of articles by marketers trying to figure out how to get their emails delivered properly to customers. You can follow all the rules and sometimes email just doesn't get there.
TenFour is offline   Reply With Quote
Old 23 Apr 2020, 02:03 AM   #5
SideshowBob
Essential Contributor
 
Join Date: Jan 2017
Posts: 278
Quote:
Originally Posted by TenFour View Post
There's a lot more of that going on with email than we realize, and not just at Fastmail. The Internet is full of articles by marketers trying to figure out how to get their emails delivered properly to customers. You can follow all the rules and sometimes email just doesn't get there.
Marketing is a very different matter.
SideshowBob is offline   Reply With Quote
Old 23 Apr 2020, 03:10 AM   #6
TenFour
Master of the @
 
Join Date: Feb 2017
Location: USA
Posts: 1,685
Quote:
Marketing is a very different matter.
What I meant was there is lots going on with various email systems that impacts all of us, including marketers. I have done some tracing of marketing emails that were considered very important by the people sending them, and of course some CEO was never getting them. It often turned out there was an obvious problem, but sometimes it was a mystery with everything passing spam tests, proper alignment, yada, yada and still never getting to the destination.
TenFour is offline   Reply With Quote
Old 4 May 2020, 05:26 AM   #7
DumbGuy
Essential Contributor
 
Join Date: Oct 2008
Posts: 212
OP: Thanks so much for posting this!


I'm quite familiar with "spf.messagingengine.com", as I specify it in my domains' SPF records, but what is "spfall.messagingengine.com"? I can't find mention of it in FM docs.


Gosh, this might explain why some of my outgoing emails fail SPF (I send email from FM webmail).


I have a handful of domains that are MX'd into FM, but the DNS is hosted elsewhere, so of course I need to manage the SPF records myself.


I'm tempted now to update them from "spf..." to "spfall...", but I'm curious to know more about this undocumented FM SPF specification. If anyone has any more info on this, I'd love to know. Thanks.
DumbGuy is offline   Reply With Quote
Old 4 May 2020, 04:28 PM   #8
FredOnline
The "e" in e-mail
 
Join Date: Apr 2011
Location: Manchester UK
Posts: 2,616
I haven't heard of "spfall.messagingengine.com" and assumed it was a typo.

Fastmail creates the SPF record as:

Quote:
v=spf1 include:spf.messagingengine.com ?all
This may also be of interest:

https://dmarcian.com/what-is-the-dif...f-all-and-all/
FredOnline is offline   Reply With Quote
Old 4 May 2020, 11:12 PM   #9
SideshowBob
Essential Contributor
 
Join Date: Jan 2017
Posts: 278
spfall.messagingengine.com is undocumented, unlike spf.messagingengine.com it contains all the outgoing servers. It has nothing to do with ~all and -all.

When you use SRS for an alias your outgoing mail still goes via the forward* servers, but the envelope sender address is rewritten to use the subdomain 'srs.messagingengine.com' which has the TXT record:

"v=spf1 include:spfall.messagingengine.com -all"

If you are using FM to send outgoing mail for a domain that isn't hosted there, e.g. your incoming mail is forwarded to FM or you're using FM as a smarthost for a mail server, it makes sense to switch to spfall. But really you should consider moving as you'll still be paying a premium rate for a second class service.

Even if none of the above applies you still need to keep your webmail identities up to date if you ever use a third-party mail client.
SideshowBob is offline   Reply With Quote
Old 5 May 2020, 09:38 AM   #10
DumbGuy
Essential Contributor
 
Join Date: Oct 2008
Posts: 212
Quote:
Originally Posted by SideshowBob View Post
...If you are using FM to send outgoing mail for a domain that isn't hosted there, e.g. your incoming mail is forwarded to FM or you're using FM as a smarthost for a mail server, it makes sense to switch to spfall. But really you should consider moving as you'll still be paying a premium rate for a second class service....

Thank you much for that supplementary info!
DumbGuy is offline   Reply With Quote
Old 30 May 2020, 01:07 AM   #11
SideshowBob
Essential Contributor
 
Join Date: Jan 2017
Posts: 278
When I was testing this I created an account in claws-mail that sends through FM's server using an Fastmail alias without an FM identity. This will go out using the low-reputation forward* servers.

I've just started a trial of Namecheap's email hosting. Today I was testing the account's filtering rules and I used the above claws-mail account to send test emails (forgetting why I created it).

Everything sent with that claws-mail account is being marked as spam by SpamExperts and ending-up in the spam folder. Mail that goes through the out* servers is not.
SideshowBob is offline   Reply With Quote
Old 8 Jun 2020, 01:27 AM   #12
thomas789
Junior Member
 
Join Date: Jan 2007
Posts: 3
I submitted a ticket to Fastmail support regarding this issue 2 about weeks ago. After 3 days I received a reply that my case would be escalated to a senior agent, after another 4 days I received this reply

Quote:
Hi Thomas,

As part of our measures to avoid email spoofing we have made some recent changes so that emails sent through domains not added to a fastmail account will be sent through our forwarding server. Since forwarding servers will not be part of our SPF, this can cause SPF softfail and that's what's happening here.

1. You are sending the emails using the domain "mydomain", but that domain is not added to your fastmail account. You need to add the domain from the Settings → Domains screen of your fastmail account. You can add the domain even if its not being hosted at our end.
2. You also need to add the sending address in the Settings → Sending Identities screen if not already done.

Doing both the above will ensure that emails from that address or domain goes through our regular outgoing servers instead of forwarding servers.

If you do not wish to add the domain to your fastmail account and if you have an SMTP host for that domain at a remote server, you can add the sending address as an external identity using the Settings → Sending Identities screen. Please refer to the "Send via" option here: https://www.fastmail.com/help/send/i...s.html#options

However, if you own the domain, for the best possible experience, we always recommend hosting it with us: https://www.fastmail.com/help/receive/domains.html
First of all, having to wait a full week for a reply to a ticket is unacceptable even for a free service, never mind a paid one (and I have been a paying customer for 15 years).

Secondly, the reply seems to copied and pasted as it ignores the details I gave when I opened the ticket, namely that my emails were bouncing with a hard SPF fail by some recipient servers. The SPF records for my domains (I have about half a dozen) included spf.messagingengine.com -all and that worked always fine for many years, but since around 20 April all my emails showed hard fail (I only became aware of this a couple of weeks ago when I got a bounce for an important email I wanted so send, but I checked other emails in a backup account which is bcc'd for all emails I sent).

The reply to the ticket at least confirmed what SideShowBob said, namely that they have effectively disabled SPF records for those accounts that have only sending identities for their domains but don't have their domains MX records hosted with them. Now the agent suggested to do the latter, but when I go into my account it says 'Custom domains are not allowed with your current plan. Upgrade to add your own domain.' which would mean I have to upgrade the 'Standard' account costing $50 per year. This is completely unacceptable having had SPF working for all those years for $20 per year (I still have been on the 'Legacy' 'Full' package for the last years, they only recently changed this to the new 'Basic' package for which they'll charge $30 next time anyway.

And by the way, if you want to have DKIM signed for your own domains you have to take out the $50 package as well. Presently they sign it only for their own domain, which isn't really what you want.

I find what Fastmail have done here (without warning) is not only completely unacceptable but but puzzling, because one can add all the servers they use to your SPF record manually

Quote:
ip4:66.111.4.0/24 ip4:64.147.123.0/24
This is effectively the same as adding spfall.messagingengine.com, but avoids an additional lookup for the mail servers, and it would still work if Fastmail decided to retire the spfall.messagingengine.com domain. I have changed it in this sense as a temporary measure, but this incident + the fact that the price would increase by 50% for me soon anyway has led me now to look for an alternative email service. Does anyone have experience with Zoho Mail? You can host your domains there and use SPF and DKIM for $10 per year with 5 gb mail storage. I am still waiting for a reply from them how many domains I can use (I contacted them only yesterday though)

Thomas
thomas789 is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 01:01 AM.

 

Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy