Hi there @old_fogey,

From what you suggested a few times could you clarify if the charity is using its own server? Or are you using the plusnet server (relay.plus.net)?

"I am a plus.net subscriber at home, and also help a small charity that uses plus.net business broadband and hosts their own Exchange server." 

 

"the charity has only one exchange server.  ANy ideas what should either we do or plus.net do to solve the problem?  (I have looked at the guidance note from plus.net obviously and there is no informaiton on SPF records on DNS for those running their own email servers)."

Hi Optimatts,

Thanks for the quick reply and sorry for any confusion, the answer is both using its own server and using the plusnet servers behind relay.plus.net (whose name implies is supposed to be relaying messages....).  To be more precise:

- they have their own domain (registered at godaddy), and set up A, MX, SPF, DKIM and DMARC records there

- they have a 'static IP' address from plus.net business broadband

- incoming smtp messages come straight to their server as specified in the MX record.  This has always worked and continues to do so.

- outgoing smtp messages are sent via relay.plus.net, as if they try to send them direct they are (and have always been in the ~4 years they are a plus.net customer) blocked by plus.net.  No issue with that, very sensible, nearly all ISPs do it and it is to help prevent email spam.

- outgoing smtp messages sent via relay.plus.net used to be received by customers very reliably.  Email headers on test messages I sent to my personal gmail last week show they come via avasoutXX.plus.net (where XX is a number under 10).  Outgoing email has worked well for roughly 4 years

- very recently, selected outgoing messages sent via relay.plus.net were not received and no indication that they hadn't been received was obtained.

- I investigated further and found at least some of those organisations not receiving mail from the charity were implementing a 'delete message' policy for SPF failures

- the charities spf record was (from memory) 'v=spf1 mx -all'.  The MX record points to the one email server they have at the plus.net static IP address.  Emails from that sever should not fail an SPF test.

- I tried a few test messages to the test system at dkimvalidator.com.  I could see that messages showed an SPF 'reject' because avasoutxx.plus.net was not in the SPF policy for the charity, even though the email headers showed that the email didn't come from avasoutxx.plus.net, but was originated at the charities exchange server at their static plus.net static IP address.

- I changed the SPF record to 'v=spf1 mx include:plus.net -all'.  SPF now passes at dkimvalidator.com as we have allowed any and every *.plus.net server to send email on our behalf. 

- the issue I have with this 'workaround' is that the only server that should be authorised to send email is the one specified in the MX record.  If (and only if) receiving organisations use DKIM then I guess all parties are still protected as only genuine emails will be signed by the charities private key.

- the question is therefore, what should the charity do so that they can implement a tight SPF rule and still have outgoing messages sent via relay.plus.net delivered reliably?

Hope this is crystal clear!

REgards

Andy

the question is therefore, what should the charity do so that they can implement a tight SPF rule and still have outgoing messages sent via relay.plus.net delivered reliably?

Exactly what you have done.

outgoing smtp messages are sent via relay.plus.net,

You are sending via relay.plus.net, so the Plusnet servers must be in your SPF record.

- the issue I have with this 'workaround' is that the only server that should be authorised to send email is the one specified in the MX record.

It's not a workaround, you ARE sending via relay.plus.net and therefore the PN servers must be authorised in the SPF record. In fact you never send directly from your server so it doesn't actually need to be in the SPF record. The MX record defines the server for INCOMING messages, which it appears you do receive directly.

Hope that helps