Customers with a custom email addresses that use Proofpoint in the SPF record will have it intermittently marked invalid

XMLWordPrintable

    • 2
    • Severity 3 - Minor

      Issue Summary

      Customers who use Proofpoint for SPF record validation will find that it occasionally is marked as invalid and will "rectify" itself after some time with no action from them, no configuration changes, and no Statuspage support actions.

      This has been identified as being a result of Proofpoint's behaviour, as detailed in https://www.proofpoint.com/sites/default/files/product-overview/pfpt-us-to-hosted-spf.pdf , where Proofpoint will receive a request to check the validity of an SPF record from IP address and will return only that particular IP address is valid, and not include the text include:stspg-customer.com despite it being defined in the dns entry. 

      Statuspage has scheduled jobs which verify that Statuspages with a custom email are including "include:stspg-customer.com" in their SPF record. As Statuspage is a prolific email sender, this job aggressively runs and notifies Customers if their SPF record is not correct, as we ensure the email reputation for Statuspage remains in good standing.

      For customers who have included Proofpoint in their SPF and moved the include:stspg-customer.com to their Proofpoint configuration, Proofpoint will occasionally not return include:ststpg-customer.com when the SPF record is queried, which will trigger our job to mark the SPF record as not containing the required field and alert Customers. 

      Email notifications are still being sent with valid SPF records, as Proofpoint will provide an SPF record that will be valid for the email recipient servers to verify with.  

      Steps to Reproduce

      1. Configure a Statuspage with a Custom Email
      2. Configure the SPF record in DNS to use Proofpoint 
        "v=spf1 include:%{ir}.%{v}.%{d}.spf.has.pphosted.com ~all"
      1. Configure Proofpoint to have this record include:stspg-customer.com

      Expected Results

      • Emails will be sent successfully from Statuspage.
      • Automated checks will confirm that the SPF record for the custom email address is valid for Statuspage to use.

      Actual Results

      • Emails will be sent successfully from Statuspage, but may come from notifications.statuspage.io instead of the custom email address.
      • The admin users of a Customer's Statuspage will receive emails that their SPF record failed validation, and the DNS page for their Statuspage will report an issue and display a banner.
      • Clicking Revalidate will temporarily remove this until the next automated check occurs.

      Workaround

      Customers can explicitly add include:stspg-customer.com into the top level of their SPF record before they include the Proofpoint configuration. So their SPF record would look like:

      "v=spf1 include:stspg-customer.com include:%{ir}.%{v}.%{d}.spf.has.pphosted.com ~all"

            Assignee:
            Unassigned
            Reporter:
            Scot Wilson
            Votes:
            4 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated: