@yorkley  - Be careful what you wish for 😎

I reported a sky mobile issue in February that appears to be a mobile network issue that their mobile gurus seem unable to fathom.  They phone every couple of days (always a different person so I have to detail the issue from scratch and I have to try and remember all the diagnostic steps that I've taken). Their detailed call logs only seem to have a life of 48 hours so I'm forever making calls to replicate the issue for them to investigate.

Back to the DMAC / SPF issue (the original message delivery issue having apparently gone away):

I have now added a DMARC policy to my domain DNS record and have included an option to send me (what I believe will be) exception reports for SPF errors.  I'm now settling back to see what, if anything, transpires......

Incidentally, I tried sending these exception reports to my btinternet.com email address but this resulted in an 'external domain verification error'. The suggested fix didn't seem straightforward so I'm sending to an email address in my domain instead.

Well, I am pleased to report that (for me at least) the problem has gone away.  I have had no "message delivery failure" messages since Friday (30/4) and all emails are getting through to me and on my 123-reg hosted domain, at least as far as I can tell.

However, it is not adding an SPF record to my DNS that solved the problem.  I did try that on Thursday but it stopped ALL emails!  To be fair, I think that was my own incompetence because when I deleted the SPF record, the emails started to arrive again.  I imagine I made some error in the syntax, although I'm not sure what is was.  

The burning question now is - do I now need to insert an SPF record or is it wiser to let sleeping dogs lie?  After all, until all this blew up, I had never heard of an SPF record so was blissfully ignorant!

I have now discovered that 123.reg adding the SPF record has not solved the problem.

I am not getting the mailer-daemon error emails any more but I have just discovered that some emails are not getting through. Don't know how many I have missed but I know that some are not being received.

I will raise this with 123.reg but don't know what they can/will do about it. They have said that they cannot add DKIM or DMARC and I don't have the knowledge or expertise to do this. Looking at the various posts on this it definitely looks out of my abilities. 

Everything was working fine until about 21st April and so someone must have done something to cause the problem, BT? 

Hi Everyone,

We’ve looked into the sending traffic from the IP ranges associated with secureservers.net (the mail sending platform associated with Reg123), and we have noted a significant increase in traffic from this sending platform over the past month. This includes traffic with SPF (Sender Policy Framework) failing. This has tripped some of our throttles designed to protect customers (and the domain owners) from spoofing. This is likely to be the reason that more forwarded email and other email originated from this platform has been failing recently into btinternet.com.

Our advice remains the same: owners of email domains should ensure they have up to date and complete SPF records for their domains, this is best practice and ensures best chances for delivery to any recipient domains/email service providers, not just btinternet.com.

If you are unsure of how to set up an SPF record please follow the advice from Reg123 here, How do I add an SPF record to my domain name?.  If you still are unable to complete an SPF record successfully please contact REG123 for support.

Thanks 

Neil

Hello @NeilO , your advice is only partially helpful.

As I asked much earlier in this thread, for those of us who are sending email via BT we need advice on what BT elements to include in the SPF record to ensure that our outbound email is compliant.

The 123 Reg article relates to what needs to be included in a SPF record to ensure that 123 Reg is considered as a legitimate relay of email for our domains for the purposes of email inbound to BT for receipt by us.

We need the same from BT to cover the email we send.

Neil

123-reg told me that two weeks ago.

So my question is what is BT going to do to stop their customers from loosing emails?

Bob (still awaiting a call from anybody at BT about this issue a week later)

Ok, been doing a bit of testing. As previously stated, SPF records for incoming mail forwarded from 123reg servers need SPF information from 123reg.

Outgoing mail from own domain using BT's SMTP server doesn't appear to require any SPF information to be entered as it is automatically provided by the BT server. I have deleted the previously entered SPF record on my domain provider IONOS and checked that received mail sent from my domain passes SPF check.

@licquorice 

I don't believe that what you say is correct regarding outgoing email.  The SPF record comes from the DNS for the domain name, not from BTinternet. My understanding is that SPF verification is performed by a Message Delivery Agent (MDA) and compares the Message Submission Agent (MSA) and Message Transfer Agents (MTAs) with those specified in the SPF for my domain (refer https://en.wikipedia.org/wiki/Email_agent_(infrastructure)).  If I am correct - and I may not be - I am still unclear on which MTAs to specify as there must surely be many different ones depending on the destination.

I have applied SPF and DMARC records to my domain and, with considerable luck (and if I have configured correctly), I will receive some DMARC reports to help determine whether I have configured things correctly. Ideally, some mistakes will become apparent.  If they don't, I will have been incredibly lucky to get it right or I've failed to configure my DMARC policy correctly. 🙄

@graywallis 

If we assume for a moment that my understanding is correct, then DKIM validation is performed by the Mail Delivery Agent on the encypted DKIM message header added by the Message Submission Agent using the public Key available at the message originator's DNS record.  In the case of email forwarded from our domains at 123-reg, does BT perceive these to be from the original message sender or from our domains (or somehere else!).   Which public key is used  at BTInternet for decryption?  Is another encoded DKIM message added by 123-reg before forwarding?  My suspicion is that the problem may be in this area.