SenderID, include:, and Google Apps

We’ve run into an interesting edge case involving SenderID and Google’s SPF record — though the same thing would happen with any other spf1 record.

Say you’ve got a domain with this SenderID record in DNS: TXT “spf2.0/pra ip4: -all”

What that record means is to use the PRA algorithm, authorize mail from any IPv4 address within ( through, also authorize whatever’s in the record for, and don’t authorize anything else.

Thing is, redirects to, which doesn’t have an spf2.0/pra record. It only has an spf1 record, and spf1 doesn’t have the PRA algorithm. So, what should a receiving site do?

The strict interpretation would be to ignore the spf1 record, thereby effectively ignoring the include: statement. This probably isn’t what wants, though, which is probably why Microsoft interprets the included spf1 statement as if it were spf2.

In other words: even though Google has only published spf1, Microsoft is interpreting the record as spf2 (SenderID) when included in an spf2 statement.

(There’s a bit more discussion about this in a bug I submitted for the Mail::SPF perl library.)

Which is right? Doesn’t really matter, since Microsoft (Hotmail, MSN, and Windows Live Mail) is the only major mailbox provider who checks SenderID at all — and they interpret included SPF records. It’s possible that there’s a smaller site out there somewhere where they’d interpret the records differently, but we haven’t found it.

Prev Next

minute read

Popular stories