Copy link to clipboard
Copied
How do I report to Adobe Forums administrator(s) that their email service's public DNS SPF record(s) are broken and returning Hard Fail? SPF (Sender Protection Framework) "Hard Fail" is an indicator that the sender is not authorized to send email on behalf of the Adobe forums. This is a "false positive" Hard Fail indicator for the last 3 emails I recently received from Adobe.
This issue needs to be fixed by the Adobe.com's public DNS administrator(s) to enable reliable delivery of forum emails. While this is not fixed, properly configured email servers will either reject the emails or give them high SPAM scoring or quarantine the emails since they are probably being sent by impersonators.
Below is the detailed log showing the cause of the SPF Hard Failure.
Mon 2016-11-28 11:33:35: Accepting SMTP connection from [204.93.64.116 : 53584] on port 25
Mon 2016-11-28 11:33:35: Sender is not a local domain mail server
Mon 2016-11-28 11:33:35: Performing PTR lookup (116.64.93.204.IN-ADDR.ARPA)
Mon 2016-11-28 11:33:35: * D=116.64.93.204.IN-ADDR.ARPA TTL=(1439) PTR=[mail0.phx1.jivehosted.com]
Mon 2016-11-28 11:33:35: * Gathering A records...
Mon 2016-11-28 11:33:35: * D=mail0.phx1.jivehosted.com TTL=(1439) A=[204.93.64.116]
...
Mon 2016-11-28 11:33:36: -- Executing: SPF --
Mon 2016-11-28 11:33:36: Performing SPF lookup (adobe.com / 204.93.64.116)
Mon 2016-11-28 11:33:36: * Policy: v=spf1 include:spf.mandrillapp.com include:spf.protection.outlook.com include:spf-a.rnmk.com include:_spf.salesforce.com Ip4:209.46.39.252 Ip4:23.23.191.130 Ip4:54.81.114.235 Ip4:54.164.100.187 Ip4:31.25.81.11 Ip4:12.130.57.15 include:spf1.adobe.com -all
Mon 2016-11-28 11:33:36: * Evaluating include:spf.mandrillapp.com: performing lookup
Mon 2016-11-28 11:33:36: * Policy: v=spf1 ip4:198.2.128.0/24 ip4:198.2.132.0/22 ip4:198.2.136.0/23 ip4:198.2.186.0/23 ip4:205.201.131.128/25 ip4:205.201.134.128/25 ip4:205.201.136.0/23 ip4:205.201.139.0/24 ip4:198.2.180.0/24 ip4:198.2.179.0/24 ip4:198.2.178.0/24 ip4:198.2.177.0/24 ~all
Mon 2016-11-28 11:33:36: * Evaluating ip4:198.2.128.0/24: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:198.2.132.0/22: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:198.2.136.0/23: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:198.2.186.0/23: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:205.201.131.128/25: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:205.201.134.128/25: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:205.201.136.0/23: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:205.201.139.0/24: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:198.2.180.0/24: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:198.2.179.0/24: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:198.2.178.0/24: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:198.2.177.0/24: no match
Mon 2016-11-28 11:33:36: * Evaluating ~all: match
Mon 2016-11-28 11:33:36: * Evaluating include:spf.mandrillapp.com: no match
Mon 2016-11-28 11:33:36: * Evaluating include:spf.protection.outlook.com: performing lookup
Mon 2016-11-28 11:33:36: * Policy: v=spf1 ip4:207.46.101.128/26 ip4:207.46.100.0/24 ip4:207.46.163.0/24 ip4:65.55.169.0/24 ip4:157.56.110.0/23 ip4:157.55.234.0/24 ip4:213.199.154.0/24 ip4:213.199.180.0/24 include:spfa.protection.outlook.com -all
Mon 2016-11-28 11:33:36: * Evaluating ip4:207.46.101.128/26: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:207.46.100.0/24: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:207.46.163.0/24: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:65.55.169.0/24: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:157.56.110.0/23: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:157.55.234.0/24: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:213.199.154.0/24: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:213.199.180.0/24: no match
Mon 2016-11-28 11:33:36: * Evaluating include:spfa.protection.outlook.com: performing lookup
Mon 2016-11-28 11:33:36: * Policy: v=spf1 ip4:157.56.112.0/24 ip4:207.46.51.64/26 ip4:157.55.158.0/23 ip4:64.4.22.64/26 ip4:40.92.0.0/14 ip4:40.107.0.0/17 ip4:40.107.128.0/18 ip4:134.170.140.0/24 include:spfb.protection.outlook.com -all
Mon 2016-11-28 11:33:36: * Evaluating ip4:157.56.112.0/24: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:207.46.51.64/26: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:157.55.158.0/23: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:64.4.22.64/26: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:40.92.0.0/14: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:40.107.0.0/17: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:40.107.128.0/18: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:134.170.140.0/24: no match
Mon 2016-11-28 11:33:36: * Evaluating include:spfb.protection.outlook.com: performing lookup
Mon 2016-11-28 11:33:36: * Policy: v=spf1 ip6:2a01:111:f400::/48 ip4:23.103.128.0/19 ip4:23.103.198.0/23 ip4:65.55.88.0/24 ip4:104.47.0.0/17 ip4:23.103.200.0/21 ip4:23.103.208.0/21 ip4:23.103.191.0/24 ip4:216.32.180.0/23 ip4:94.245.120.64/26 -all
Mon 2016-11-28 11:33:36: * Evaluating ip6:2a01:111:f400::/48: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:23.103.128.0/19: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:23.103.198.0/23: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:65.55.88.0/24: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:104.47.0.0/17: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:23.103.200.0/21: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:23.103.208.0/21: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:23.103.191.0/24: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:216.32.180.0/23: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:94.245.120.64/26: no match
Mon 2016-11-28 11:33:36: * Evaluating -all: match
Mon 2016-11-28 11:33:36: * Evaluating include:spfb.protection.outlook.com: no match
Mon 2016-11-28 11:33:36: * Evaluating -all: match
Mon 2016-11-28 11:33:36: * Evaluating include:spfa.protection.outlook.com: no match
Mon 2016-11-28 11:33:36: * Evaluating -all: match
Mon 2016-11-28 11:33:36: * Evaluating include:spf.protection.outlook.com: no match
Mon 2016-11-28 11:33:36: * Evaluating include:spf-a.rnmk.com: performing lookup
Mon 2016-11-28 11:33:36: * Policy: v=spf1 ip4:74.117.200.0/21 ip4:160.34.0.0/16 ip4:208.72.88.0/21 ip4:129.152.0.0/17 ip4:199.167.173.0/24 ip4:205.223.80.0/20 ip4:129.91.5.0/24 ip4:141.145.85.0/24 ip4:216.136.229.0/24 ip6:2405:ba00:8804::/48 ip6:2405:ba00:8800::/48 ~all
Mon 2016-11-28 11:33:36: * Evaluating ip4:74.117.200.0/21: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:160.34.0.0/16: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:208.72.88.0/21: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:129.152.0.0/17: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:199.167.173.0/24: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:205.223.80.0/20: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:129.91.5.0/24: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:141.145.85.0/24: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:216.136.229.0/24: no match
Mon 2016-11-28 11:33:36: * Evaluating ip6:2405:ba00:8804::/48: no match
Mon 2016-11-28 11:33:36: * Evaluating ip6:2405:ba00:8800::/48: no match
Mon 2016-11-28 11:33:36: * Evaluating ~all: match
Mon 2016-11-28 11:33:36: * Evaluating include:spf-a.rnmk.com: no match
Mon 2016-11-28 11:33:36: * Evaluating include:_spf.salesforce.com: performing lookup
Mon 2016-11-28 11:33:36: * Policy: v=spf1 include:_mtablock1.salesforce.com ip4:136.146.208.16/28 ip4:136.146.210.16/28 ip4:136.147.62.192/26 ip4:136.147.46.192/26 ip4:85.222.130.192/26 ip4:85.222.138.192/26 ip4:101.53.164.192/26 ~all
Mon 2016-11-28 11:33:36: * Evaluating include:_mtablock1.salesforce.com: performing lookup
Mon 2016-11-28 11:33:36: * Policy: v=spf1 ip4:96.43.144.64/28 ip4:96.43.147.64/28 ip4:96.43.148.64/28 ip4:96.43.151.64/28 ip4:96.43.152.64/27 ip4:96.43.153.64/27 ip4:182.50.78.64/28 ip4:204.14.232.64/28 ip4:204.14.234.64/28 ip4:204.14.238.0/27 ip4:136.146.128.64/27 ~all
Mon 2016-11-28 11:33:36: * Evaluating ip4:96.43.144.64/28: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:96.43.147.64/28: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:96.43.148.64/28: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:96.43.151.64/28: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:96.43.152.64/27: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:96.43.153.64/27: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:182.50.78.64/28: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:204.14.232.64/28: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:204.14.234.64/28: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:204.14.238.0/27: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:136.146.128.64/27: no match
Mon 2016-11-28 11:33:36: * Evaluating ~all: match
Mon 2016-11-28 11:33:36: * Evaluating include:_mtablock1.salesforce.com: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:136.146.208.16/28: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:136.146.210.16/28: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:136.147.62.192/26: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:136.147.46.192/26: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:85.222.130.192/26: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:85.222.138.192/26: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:101.53.164.192/26: no match
Mon 2016-11-28 11:33:36: * Evaluating ~all: match
Mon 2016-11-28 11:33:36: * Evaluating include:_spf.salesforce.com: no match
Mon 2016-11-28 11:33:36: * Evaluating Ip4:209.46.39.252: no match
Mon 2016-11-28 11:33:36: * Evaluating Ip4:23.23.191.130: no match
Mon 2016-11-28 11:33:36: * Evaluating Ip4:54.81.114.235: no match
Mon 2016-11-28 11:33:36: * Evaluating Ip4:54.164.100.187: no match
Mon 2016-11-28 11:33:36: * Evaluating Ip4:31.25.81.11: no match
Mon 2016-11-28 11:33:36: * Evaluating Ip4:12.130.57.15: no match
Mon 2016-11-28 11:33:36: * Evaluating include:spf1.adobe.com: performing lookup
Mon 2016-11-28 11:33:36: * Policy: v=spf1 Ip4:54.69.117.153 Ip4:54.235.115.132 Ip4:192.147.130.29 Ip4:185.34.189.4 Ip4:31.25.81.134 Ip4:23.23.118.10 Ip4:54.243.104.204 Ip4:67.192.139.34 Ip4:67.192.157.83 Ip4:208.91.172.30 Ip4:8.18.102.200 include:spf2.adobe.com -all
Mon 2016-11-28 11:33:36: * Evaluating Ip4:54.69.117.153: no match
Mon 2016-11-28 11:33:36: * Evaluating Ip4:54.235.115.132: no match
Mon 2016-11-28 11:33:36: * Evaluating Ip4:192.147.130.29: no match
Mon 2016-11-28 11:33:36: * Evaluating Ip4:185.34.189.4: no match
Mon 2016-11-28 11:33:36: * Evaluating Ip4:31.25.81.134: no match
Mon 2016-11-28 11:33:36: * Evaluating Ip4:23.23.118.10: no match
Mon 2016-11-28 11:33:36: * Evaluating Ip4:54.243.104.204: no match
Mon 2016-11-28 11:33:36: * Evaluating Ip4:67.192.139.34: no match
Mon 2016-11-28 11:33:36: * Evaluating Ip4:67.192.157.83: no match
Mon 2016-11-28 11:33:36: * Evaluating Ip4:208.91.172.30: no match
Mon 2016-11-28 11:33:36: * Evaluating Ip4:8.18.102.200: no match
Mon 2016-11-28 11:33:36: * Evaluating include:spf2.adobe.com: performing lookup
Mon 2016-11-28 11:33:36: * Policy: v=spf1 Ip4:174.143.100.191 Ip4:208.117.49.186 Ip4:216.104.216.133 ip4:81.21.145.0/24 ip4:208.79.250.0/24 ip4:208.82.174.0/24 ip4:66.235.128.0/19 Ip4:63.140.44.0/22 Ip4:192.243.224.0/19 Ip4:66.117.17.0/24 Ip4:66.117.16.0/20 include:spf3.adobe.com -all
Mon 2016-11-28 11:33:36: * Evaluating Ip4:174.143.100.191: no match
Mon 2016-11-28 11:33:36: * Evaluating Ip4:208.117.49.186: no match
Mon 2016-11-28 11:33:36: * Evaluating Ip4:216.104.216.133: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:81.21.145.0/24: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:208.79.250.0/24: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:208.82.174.0/24: no match
Mon 2016-11-28 11:33:36: * Evaluating ip4:66.235.128.0/19: no match
Mon 2016-11-28 11:33:36: * Evaluating Ip4:63.140.44.0/22: no match
Mon 2016-11-28 11:33:36: * Evaluating Ip4:192.243.224.0/19: no match
Mon 2016-11-28 11:33:36: * Evaluating Ip4:66.117.17.0/24: no match
Mon 2016-11-28 11:33:36: * Evaluating Ip4:66.117.16.0/20: no match
Mon 2016-11-28 11:33:36: * Evaluating include:spf3.adobe.com: performing lookup
Mon 2016-11-28 11:33:36: * Policy: v=spf1 Ip4:54.240.14.29 IP4:54.240.14.30 Ip4:54.149.189.174 Ip4:192.147.128.46 Ip4:174.129.221.39 Ip4:54.240.27.170 Ip4:54.240.27.171 Ip4:54.198.175.53 Ip4:52.198.245.161 Ip4:192.147.128.70 Ip4:192.147.128.106 Ip4:52.211.5.119 Ip4:52.212.249.89 -all
Mon 2016-11-28 11:33:36: * Evaluating Ip4:54.240.14.29: no match
Mon 2016-11-28 11:33:36: * Evaluating IP4:54.240.14.30: no match
Mon 2016-11-28 11:33:36: * Evaluating Ip4:54.149.189.174: no match
Mon 2016-11-28 11:33:36: * Evaluating Ip4:192.147.128.46: no match
Mon 2016-11-28 11:33:36: * Evaluating Ip4:174.129.221.39: no match
Mon 2016-11-28 11:33:36: * Evaluating Ip4:54.240.27.170: no match
Mon 2016-11-28 11:33:36: * Evaluating Ip4:54.240.27.171: no match
Mon 2016-11-28 11:33:36: * Evaluating Ip4:54.198.175.53: no match
Mon 2016-11-28 11:33:36: * Evaluating Ip4:52.198.245.161: no match
Mon 2016-11-28 11:33:36: * Evaluating Ip4:192.147.128.70: no match
Mon 2016-11-28 11:33:36: * Evaluating Ip4:192.147.128.106: no match
Mon 2016-11-28 11:33:36: * Evaluating Ip4:52.211.5.119: no match
Mon 2016-11-28 11:33:36: * Evaluating Ip4:52.212.249.89: no match
Mon 2016-11-28 11:33:36: * Evaluating -all: match
Mon 2016-11-28 11:33:36: * Evaluating include:spf3.adobe.com: no match
Mon 2016-11-28 11:33:36: * Evaluating -all: match
Mon 2016-11-28 11:33:36: * Evaluating include:spf2.adobe.com: no match
Mon 2016-11-28 11:33:36: * Evaluating -all: match
Mon 2016-11-28 11:33:36: * Evaluating include:spf1.adobe.com: no match
Mon 2016-11-28 11:33:36: * Evaluating -all: match
Mon 2016-11-28 11:33:36: * Result: fail
The problem was raised internally back when Adobe first started using Jive. It was not acted upon.
Copy link to clipboard
Copied
[Question moved to the Forum comments forum]
Copy link to clipboard
Copied
To fix this problem ADOBE.COM's DNS administrator needs to add "include:jivehosted.com" to the adobe.com (or spf1.adobe.com, etc.) public DNS TXT record that starts with "v=spf1"
This is a problem that needs to be fixed by Adobe.com. This problem cannot be fixed by Adobe customers like myself. My question to this forum should probably be "How Do I Report This Problem to the ADOBE.COM DNS Administrator(s)?" Most websites have "feedback" features that enable people to submit problem reports like broken links and misconfigured DNS. Maybe I just haven't looked hard enough for that feature?
Explanation:
Email claiming to be from @adobe.com is being relayed by: D=mail0.phx1.jivehosted.com TTL=(1439) A=[204.93.64.116]
Is [204.93.64.116] authorized to send email on behalf of @adobe.com? The answer is NO! Adobe.com's DNS administrator has configured Adobe.com's public DNS to Hard Fail any servers not included in Adobe.com's SPF (Sender Protection Framework).
In a world where cyber security is taken seriously, properly configured email servers should simply REJECT or Administratively Quarantine the Hard Fail emails because they are impersonating being from domains that the senders are unauthorized to send email for.
It is also really bad practice to instruct email recipients to add "@adobe.com" to their "White List". This defeats the "Sender Protection" because white listing the domain or even specific email addresses that would accept All email from the white listings including malicious imposters.
In this case, where adobe.com emails are being relayed through a third party email service, that email service needs to be included in adobe.com's SPF record in the public DNS. Adobe is already doing this with mandrillapp.com, protection.outlook.com, salesforce.com, etc. Adobe simply needs to also include jivehosted.com in its SPF.
For example: "v=spf1 include:spf.mandrillapp.com include:spf.protection.outlook.com include:spf-a.rnmk.com include:jivehosted.com include:_spf.salesforce.com Ip4:209.46.39.252 Ip4:23.23.191.130 Ip4:54.81.114.235 Ip4:54.164.100.187 Ip4:31.25.81.11 Ip4:12.130.57.15 include:spf1.adobe.com -all"
We can examine the SPF configuration using Windows nslookup or similar utility in Linux. In the examination below, we see the [204.93.64.116] sender of the Adobe forum's emails in the jivehosted.com SPF record. If we examined the entire SPF "tree" for adobe.com (by examining spf1.adobe.com, spf2.adobe.com, spf3.adobe.com, spf.mandrillapp.com, etc), we would Not find [204.93.64.116] in Adobe's SPF. One reason for the "tree" or reference chain is the length of the TXT record that stores SPF data is limited, so multiple TXT records are "included" together.
C:\temp> nslookup
> server google-public-dns-a.google.com
Default Server: google-public-dns-a.google.com
Addresses: 2001:4860:4860::8888
8.8.8.8
> set type=TXT
> adobe.com
Server: google-public-dns-a.google.com
Address: 8.8.8.8
Non-authoritative answer:
adobe.com text =
"v=spf1 include:spf.mandrillapp.com include:spf.protection.outlook.com include:spf-a.rnmk.com include:_spf.salesforce.com Ip4:209.46.39.252 Ip4:23.23.191.130 Ip4:54.81.114.235 Ip4:54.164.100.187 Ip4:31.25.81.11 Ip4:12.130.57.15 include:spf1.adobe.com -all"
...
> jivehosted.com
Server: google-public-dns-a.google.com
Address: 8.8.8.8
Non-authoritative answer:
jivehosted.com text =
"v=spf1 ip4:204.93.64.116 ip4:204.93.64.117 ip4:204.93.80.116 ip4:204.93.80.117 ip4:204.93.95.57 ip4:192.250.208.112 ip4:192.250.208.113 include:sendgrid.net -all"
>
Copy link to clipboard
Copied
The problem was raised internally back when Adobe first started using Jive. It was not acted upon.