Sender ID and Sender Policy Framework: Implementation Required to Obtain Good Email Delivery at Hotmail and AOL


Note: If you are implementing SPF / Sender ID for the first time, you should also implement Yahoo! DomainKeys at the same time

What are Sender ID and SPF?

Sender ID and Sender Policy Framework (SPF) are two related methods of email authentication that enable organizations to specify which mail servers are authorized to send email in their name. Originally developed to fight email address forgery and phishing, these standards have also been integrated into many anti-spam systems. Since 2003, SPF has become the most widely adopted email authentication standard, in use at AOL and many other domains. Sender ID is a variation of SPF developed by Microsoft, in use at Hotmail, msn.com, and other domains.

How do Sender ID and SPF work?

Both Sender ID and SPF utilize the DNS system to provide information about which servers are authorized to send email in a domain’s name. Email publishers add a TXT record to the DNS zone that identifies authorized mail servers. When an ISP receives email, it looks up the information associated with the domain sending the message. If the actual sending mail server is on a domain’s list of authorized mailers, the recipient system treats the email as legitimate. If the sending mail server is not on the authorized list, the recipient system treats the email as suspicious and subjects it to anti-spam filters, because it does not know if the mail can be trusted.

How do SPF records need to be set up for an organization using Convio?

The "From" address in email marketing sent from Convio will typically use an Internet domain owned by the Convio client in question. To pass a Sender ID check, SPF records which identify Convio as a legitimate source of email need to be published by each client in the DNS for each domain they use in "From" lines in email marketing.

Determining what the complete SPF policy should be for a domain is a matter for each organization's IT team; however, Convio offers the following guidance:

IF your organization operates its own office email server AND Convio is the only service that sends email on your organization's behalf, then the following SPF record will meet your needs:

v=spf1 +mx +include:outboundmail.convio.net ?all

An SPF-based spam filter will translate this as: "Servers specifically allowed to send mail are (i) our inbound mail server(s), and (ii) Convio's servers. For mail from any other source, treat it as if this SPF record was never published."

IF your organization uses multiple email service providers, then your SPF record will need to be expanded to identify additional authorized email servers. We recommend you adopt the following SPF policy: For every domain used in the "From" address of Convio emails, publish an SPF record which explicitly authorizes Convio's servers as legitimate email sources for that domain. To do this, include the following rule in your SPF records:

+include:outboundmail.convio.net

What domain(s) should we do this for?

You should do this for every domain used in "From" addresses of email sent from Convio, including subdomains.

Are there tools to help me put together an SPF policy record?

The website http://www.openspf.org/ has a wizard for creating SPF records, and lots of information about SPF.

What review steps should I take to verify my SPF record before publishing it?

It's strongly recommended that you syntax check your SPF record prior to publishing it, and verify that it covers both Convio and any other systems that send mail for your domain. Below are some links to SPF tools:

OpenSPF tools page
VAMsoft's SPF syntax validator

You can also open a ticket with Convio Support and ask us to review your draft SPF record.

How do I add the SPF records to my DNS?

An SPF record is published as the value of a TXT record type, whose name is the domain itself. SPF-checking email servers can differentiate it from other TXT records using the fact that it starts with an SPF version signature.

An example of the DNS syntax used in a zone file for the BIND (aka named) DNS server software would be:

@          86400 IN TXT "v=spf1 +mx +include:outboundmail.convio.net ?all"

Other DNS software uses different input formats - consult your vendor's documentation.

If you are using an offsite vendor, perhaps the company who provides your office internet access, to host your DNS for you, they will typically have provided a web interface where you will need to input these DNS records.

How can I check that my SPF record correctly includes Convio after it is published?

Convio has provided a DNS checking tool which will check your domain's DNS setup for both SPF / Sender ID and Yahoo! DomainKeys and ensure it is configured to Convio's specification.

A note about Sender ID DNS record formats

The Sender ID standard specifies its own slightly different DNS record format, which confusingly begins with spf2.0/pra instead of v=spf1. However, a "v=spf1" record will be used as a fallback to perform Sender ID checks if it is available. Thus, for most purposes there is no need to publish both, it is sufficient to use the original SPF format.

If you are already using both SPF v1 and Sender ID "spf2.0/pra" records, the Sender ID record will take precedence, but the rule authorizing Convio as a sender should be added to both.

What happens if I don't implement Sender ID?

Email sent from Convio will always pass SPF tests, because Convio has properly published SPF records for domains we manage that cover all client email.

However, if your organization does not also add SPF records to your own DNS, your email will fail Sender ID tests and will often be treated as suspicious or untrustworthy. Recipient systems subject email that fails Sender ID to a variety of delivery barriers, ranging from complete rejection, to diversion to spam folders, to suppression of images or working hyperlinks. Some Microsoft mail clients flag mail that fails Sender ID as untrustworthy in their user interface.

Because of the critical importance of sender verification for good email delivery, the Convio product (both Email Campaigns and Quick Email) now has a built-in ability to monitor whether the domain names your organization uses comply with these standards. Our tool will remind you that you need to implement these standards every time you send an email job until your organization comes into compliance.

We have published DNS records for Sender ID, but the Convio product is still giving us a warning message about something called DomainKeys. What should we do?

DomainKeys is a separate email verification standard utilized by Yahoo!, and is necessary to ensure good email delivery to recipients using Yahoo as an ISP. Instructions to configure DomainKeys can be found here

The Convio application will continuously test the domains you use to send email from our system for compliance with both DomainKeys and Sender ID. Since different ISPs use different standards, it is important that your organization implement both. Note that, unlike DomainKeys, failure to comply with Sender ID does not require the Convio software to make any changes to your email.

What about clients on the GetActive platform?

Clients on GetActive, who will be migrating to Convio, are advised to configure their DNS to designate both Convio and GetActive as authorized email service providers at this time, thus avoiding the need to do anything at the time of migration. To do so, include both the GetActive and the Convio designators in your SPF / Sender ID record, like this:

+include:_spf.getactive.com +include:outboundmail.convio.net

GetActive clients are also advised to configure their DNS for Convio's Yahoo! DomainKeys signature which will be applied automatically to their email once they migrate.

Why does Sender ID matter to organizations doing email marketing?

Please see the Email Sender Verification Overview to learn why this is important to your organization.

What is the difference between Sender ID and SPF?

SPF is based on verifying the "Return-Path" header from an email, often called the "envelope sender". Users of email do not normally see this address. Sender ID performs similar checks, but (generally) uses the "From" address of an email that is displayed to users. To understand the difference, consider how these two methods treat email sent from Convio. Recipient systems using SPF will check the envelope from address, which is always a Convio.net address, and therefore look up the DNS record for Convio.net to see if the mail is authorized. Recipients using Sender ID will check the message from address, which is usually a client-provided email address. So Sender ID will look up the DNS record of the sending organization to see if Convio mail servers are authorized to send in its name. Thus, Sender ID is a more useful standard to ensure that email sent from Convio is trusted.

Privacy Policy | Safe Harbor Notice | Terms of Use | Acceptable Use Policy | © 2012 Blackbaud, Inc. All Rights Reserved