I use Forte Agent to send email, via Virgin's mail servers, with
replies forwarded via my own domain email address.

I have set up the Gmail app password, which has been working
fine, but am now getting bounce messages like this:

>Action: failed
>Final-Recipient: xxxxxxxxxxxxxxxx
>Status: 5.0.0
>Remote-MTA: dns; gmail-smtp-in.l.google.com
>Diagnostic-Code: smtp; 550-5.7.26 Your email has been blocked because the sender is unauthenticated.
> 550-5.7.26 Gmail requires all senders to authenticate with either SPF or DKIM.
> 550-5.7.26
> 550-5.7.26 Authentication results:
> 550-5.7.26 DKIM = did not pass
> 550-5.7.26 SPF [cdixon.me.uk] with ip: [84.116.50.34] = did not pass
> 550-5.7.26
> 550-5.7.26 For instructions on setting up authentication, go to
> 550 5.7.26 https://support.google.com/mail/answer/81126#authentication ffacd0b85a97d-37d4b989e98si2592841f8f.501 - gsmtp

The IP address varies in different messages, all allocated by
Virgin's mail server, and clearly not unique to me.

I have read the various pages of instructions, including one on
my host:
<https://www.heartinternet.uk/support/article/how-do-i-add-spf-records-to-my-site.html>

but find myself totally unable to understand exactly what to do.
It also seems like trial and error is not a good way to go, if I
correctly understand that updated entries can take up to 48 hours
to propagate.

If I send directly from Virgin's online mail page, there are no
issues.

Chris
--
Chris J Dixon Nottingham UK
chris@cdixon.me.uk @ChrisJDixon1

Plant amazing Acers.

Chris J Dixon wrote:

> but find myself totally unable to understand exactly what to do.
> It also seems like trial and error is not a good way to go, if I
> correctly understand that updated entries can take up to 48 hours
> to propagate.
I remember other heart customers having similar issue (no SPF at all, or
incorrect SPF) but can't remember if heart fixed it after a phone call,
or the customers fixed it by leaving heart!

In short what you need is that heart add an SPF record to the DNS for
your cdixon.me.uk domain containing

v=spf1 include:_spf.virginmedia.com ~all

which tells other email servers "when you're checking if I'm legit,
allow the servers that virgin nominate as valid" and "meh to anything
else", but not actually "block anything else".

If you use other email servers in addition to virgin's (e.g. your mobile
provider when away from home) then they need to be included too.

Chris J Dixon wrote:

> I have read the various pages of instructions, including one on
> my host:
I don't use heart or virgin, so you may want to xpost to
uk.tech.broadband in the hope you get replies from fellow customers who
have been there and got the T-shirt.

In comp.misc Chris J Dixon <chris@cdixon.me.uk> wrote:
> I use Forte Agent to send email, via Virgin's mail servers, with
> replies forwarded via my own domain email address.
>
> I have set up the Gmail app password, which has been working
> fine, but am now getting bounce messages like this:
>
[...]
> but find myself totally unable to understand exactly what to do.
> It also seems like trial and error is not a good way to go, if I
> correctly understand that updated entries can take up to 48 hours
> to propagate.
>
> If I send directly from Virgin's online mail page, there are no
> issues.

The short answer is that any time you send a message as
anything@yourdomain.com you need to send via the mail server run by the
people who host your domain. They can ensure that your domain has a
matching SPF record for their server.

The longer answer is that it is technically possible to add an SPF record to
your domain's DNS to indicate which server is a valid sender for
anything@yourdomain.com. In an ideal world you'd add virgin's server and
that would resolve the problem. However the IT of big companies is not
simple, and as a general rule we couldn't guarantee how Virgin are going to
route their email internally and where it will emerge. It is also liable to
change without warning. So in practice this is just going to store up
problems for the future.

It used to be that you'd send email via the SMTP server of the network your
were on (eg your ISP's server at home and your employer's at work), who had
a whitelist based on IP addresses (all ISP customers could use their
server). That doesn't work any more: if you have a domain the mail needs to
go via the hoster for the domain so that it emerges matching the domain's
SPF record. If you do use the 'wrong' server then it's highly likely the
messages will be rejected as spam, as you are seeing.

Theo

Theo wrote:

> as a general rule we couldn't guarantee how Virgin are going to
> route their email internally and where it will emerge. It is also liable to
> change without warning. So in practice this is just going to store up
> problems for the future.

Certainly don't try to construct your own list of virgin servers, use
the list they have constructed ... I have no idea how good virgin are at
keeping their own servers in their SPF lists, or referring to anyone
else's they outsource to, but right now _spf.virginmedia.com resolves to

"v=spf1 include:_mailcloud.virginmedia.com
include:_external.virginmedia.com include:_internal.virginmedia.com
include:_spf.fireeyecloud.com ~all"

which recursively resolves to

"v=spf1 ip4:212.54.59.64/26 ip4:212.54.57.64/26 ip4:212.54.57.64/26
ip4:84.116.6.0/23 ip4:84.116.50.0/23 ~all"

"v=spf1 ip4:78.33.8.111 ~all"

"v=spf1 ip4:193.38.82.91 ip4:193.38.82.92 ~all"

"v=spf1 ip4:34.223.9.0/24 ip4:34.223.11.128/25 ip4:34.223.12.0/25
ip4:38.27.116.128/27 ip4:165.254.91.16/28 ip4:38.27.116.96/27
ip4:165.254.91.96/27 ip4:149.13.95.32/27 ip4:154.57.155.16/28
ip4:100.25.99.0/25 ip4:100.24.127.128/25 ip4:3.122.63.0/24 ip4:52."
"215.218.128/25 ip4:63.34.31.0/25 ip4:63.34.218.0/24 ip4:3.123.5.0/24
ip4:34.223.36.0/24 ip4:3.93.93.0/24 ip4:3.112.99.0/24 ip4:3.112.100.0/24
ip4:3.97.207.0/24 ip4:3.97.208.0/24 -all"

Which does include the 84.116.50.34 address originally mentioned ...

Andy Burns wrote:

>Chris J Dixon wrote:
>
>> but find myself totally unable to understand exactly what to do.
>> It also seems like trial and error is not a good way to go, if I
>> correctly understand that updated entries can take up to 48 hours
>> to propagate.
>I remember other heart customers having similar issue (no SPF at all, or
>incorrect SPF) but can't remember if heart fixed it after a phone call,
>or the customers fixed it by leaving heart!
>
>In short what you need is that heart add an SPF record to the DNS for
>your cdixon.me.uk domain containing
>
>v=spf1 include:_spf.virginmedia.com ~all
>
>which tells other email servers "when you're checking if I'm legit,
>allow the servers that virgin nominate as valid" and "meh to anything
>else", but not actually "block anything else".

Thanks very much Andy, that seems to have done the trick.

Chris
--
Chris J Dixon Nottingham UK
chris@cdixon.me.uk @ChrisJDixon1

Plant amazing Acers.