TL;DR: We had SPF too permissive (+all) and spammers used this to send tons of spam "from" our domain. We restricted that to ~all and added DMARC (not DKIM though), now other providers do not trust our real emails. How to make them trust our domain/SPF record without making it too permissive again?
I've worked for this company for awhile now. However the DNS management is done by other people.
I've noticed that our SPF record was pretty bad (literally +all at the end) and the people who manage DNS argued that this is needed since many servers send automatic weekly/daily reports. However on close inspection they do not use our mailing domain name. So I suggested to fix SPF record to have at least ~all at the end and add DMARC record to receive reports of messages that are considered spam. We could not add DKIM as there are multiple systems that require sending emails (all proxied via GMail servers with their smtp-proxy servers).
Once we have done so we started receiving large numbers of reports about spam messages with our domain name as sender. All of them do look like spam and definitely not sent from our servers.
Obviously this is what we wanted to achieve, but now I see that our legit messages are sent to spam as well, even though all sending servers are added in SPF (we use Gmail for business).
Q: How can we recover from this and make other providers trust emails sent by hosts in our (now valid) SPF?
UPD: Below are examples of SPF and DMARC records we have:
v=spf1 ip4:xx.xx.xx.xx ip4:yy.yy.yy.yy ip4:zz.zz.zz.zz include:_spf.google.com ~all
v=DMARC1; p=none; rua=mailto:dmarc.report@company.com; ruf=mailto:dmarc.report@company.com; sp=none; fo=1; adkim=r; aspf=s
No comments:
Post a Comment