Monzo.com spf records


#1

Chaps, can you update your spf records?
You’re sending emails from statuspage.io mta hosts (they use sendgrid) which are failing spf checks and getting dumped.

[snips]
From: hello@monzo.com
Received: from o1678974x233.outbound-mail.sendgrid.net (167.89.74.233)
X-Hermes-Status: spf-failed

❯ dig monzo.com -t TXT +short |grep spf
"v=spf1 ip4:192.254.123.197/32 include:_spf.google.com include:mailgun.org include:eu._netblocks.mimecast.com ~all"

thanks


(Tony Hoyle) #2

You shouldn’t be dropping mail based on a ~all - it’s a soft fail (basically ignored except as a weighting in a proper antispam system). Any decent sized company is going to be sending from all sorts of places.


(Dave) #3

Yes, mail shouldn’t be outright dumped on a soft fail, but it could be used as weighting in a spam system as @TonyHoyle said . However, if properly configured it should pass anyway.

I’m trying to recall from memory, but mailgun.org always stands out in my mind as a provider that gives people these issues. Maybe they don’t always update their SPF record to include all servers that are being used.


#4

Yeah you’re right, I didn’t dump it. I goes to a spam maildir (along with hard fails) which is where I found it.

If you’re testing and using soft fail, you’re probably not sending me emails. If you’re sending emails in the wild with soft fail with a “will I won’t I use it maybe one day?”, I don’t want to be sitting here going “will I won’t I accept it?”.

Have the courage of your convictions, and update your spf records.
Don’t half use it, I’m not going to half accept it. And size is no excuse of course.

PS. This reads very blunt. Apologies. I should go eat.

===

I read this again and i think wtf? (pardon my language)
email is such a nasty space, there are so many bloody opinions, so many attempts to cut spam, reduce junk, and not one of them is clean, elegant, uncontroversial, where we all go “yep, that’s the one, I’ll take it!”
And now here I am banging on about updating your spf, when i don’t believe a word of it really.
Only that thank heavens it’s Friday.
So, as you were.


(Dave) #5

To be fair, I have some sympathy with that view. Personally I use a hard fail along with DKIM and strict DMARC reject, and if mail isn’t being received directly from the servers I send via then I expect it to be bounced back.

That said, if someone automatically forwards mail from the address I send to on to another address there is a chance the SPF record will break and my mail won’t reach their preferred destination (or will go to spam). So I can see why some people don’t use strict SPF records. It requires understanding on both the part of the sender and receiver as to how email works and frequently in my experience that understanding isn’t in place.