About 6 weeks ago I moved one of my email domains from a self-hosted server to Google Apps for Your Domain (né GMail for Your Domain). I think now it's just called Google Apps, but what's in a name anyways? I'm using the Standard (free) edition, but the instructions are the same for all versions.
My domain is configured with a catch-all, so any email sent to *@mydomain.tld ends up in my inbox. Aside from scripts that send spam to a thousand names at my domain, the other big problem is with sender forging. If a spammer sets their reply to address to alsdjflk@mydomain.tld and sends out a pile of messages, I end up with the bounces for those.
One way of combating this is to use an SPF record. Put simply, an SPF record which tells servers (that are looking for it) "here is a list of servers that can send email using this domain." It's very effective, but for some reason RIM hasn't seen fit to publish their SMTP servers. Google does, and the information can be found in the Google Apps help section.
Finding RIM's SMTP Servers
After a few Google searches and checking the headers of a dozen or so emails I have a fairly good sized list of RIM owned netblocks. Some employee desktops might be included in this, but it's a start.
193.109.81.0 - 193.109.81.255 204.92.70.0 - 204.92.70.255 206.51.26.0 - 206.51.26.255 206.53.144.0 - 206.53.159.255 216.9.240.0 - 216.9.255.255 213.161.84.32 - 213.161.84.63 67.69.150.144 - 67.69.150.159
That's a lot of IP addresses, but I've only found mail in the US coming from 206.51.26.0-206.51.26.255 and 216.9.240.0-216.9.255.25. Users in Europe or Asia (see Derek Tom's comment) will want to try the range 193.109.81.0-193.109.81.255.
Using those IP addresses our SPF record will look like this:
mydomain.tld. IN TXT "v=spf1 ip4:216.9.240.0/20 ip4:206.51.26.0/24 include:aspmx.googlemail.com ~all"
Breaking that down:
- v=spf1 – This identifies the TXT record as an SPF string.
- ip4::206.51.26.0/24 – Every host in the range 206.51.26.0-206.51.26.255 is allowed to send mail from mydomain.tld.
- ip4:216.9.240.0/20 – Every host in the range 216.9.240.0-216.9.255.255 is allowed to send mail from mydomain.tld.
- include:aspmx.googlemail.com – Any server allowed to send mail from aspmx.googlemail.com is also allowed to send mail from mydomain.tld.
- ~all – SPF queries that do not match any other mechanism will return "softfail".
Messages that are not sent from an approved server should still be accepted but may be subjected to greater scrutiny.
Testing and Deployment
The Sender Policy Framework site has a wizard that will help you generate a SPF record for your domain and Scott Kitterman has tools available to validate your newly published SPF record. If you've got anything resembling a Linux box available you can also use dig.
$ dig txt mydomain.tld; <<>> DiG 9.4.1-P1 <<>> txt mydomain.tld ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14302 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mydomain.tld. IN TXT ;; ANSWER SECTION: mydomain.tld. 1788 IN TXT "v=spf1 ip4:216.9.248.0/20 ip4:216.9.240.0/0 include:aspmx.googlemail.com ~all"
Notice the numbers after your domain in the answer section – this is the remainder of the TTL for your domain, and tells you how much time you have before the cached record expires. If you control your DNS and make frequent changes to your zone file you may want to set to something lower like 1800 or 3600. Dynamic DNS servers usually keep the TTL set to 60 seconds.
August 27th, 2007 at 9:02 am
This is very useful. I did set up SPF for my domain but did not realize that I need to include RIM's SMTP servers in the list. Thanks for this.
One question: what happens when you are roaming internationally? e.g., if I carry my blackerry to, say, Europe – I roam internationally (without any charge – unless I make a call) but do my mails still go out from US SMTP server?
August 27th, 2007 at 9:21 am
I am reading thru the SPF syntax and it seems that instead of hardcoding IP adresses registered with RIM – we can also use the PTR syntax. this is inefficient as it causes larger number of DNS queries but is probably a more fool-proof way.
so, I suggest to use something like:
v=spf1 include:aspmx.googlemail.com ptr:blackberry.com ~all
(I have brought googlemail as the first check and blackberry as second assuming that more mails are sent from google than from blackberry and this order of checks will cause lesser strain on mx servers)
August 27th, 2007 at 11:58 am
Re: international roaming, I'm not sure what happens. I assume that data goes through the BIS your current carrier is using, and if you're in Europe you'll use one of the European servers. I've only been out of the country once with my BB and since it's Verizon I was roaming on Vodafone, and there was no data coverage in the parts of Peru I went to.
I'll see if I can get an official answer from RIM and post an update here.
RIM uses SRS so in theory you don't need to add their SMTP servers to your SPF record, but I'm not going to trust that a remote server will be SRS-aware and not penalize or drop my message because I didn't list a SMTP server in my SPF record.
Related RIM KB Articles:
KB12718 – What are SPF and SRS?
KB13874 – Email messages are being rejected by the return path
September 11th, 2007 at 9:03 pm
So I've been troubleshooting a client's BlackBerry Desktop Redirector. The only reason we're using the redirector is so that he can receive his local exchange mail on his BlackBerry when he's out of the office; we do not want the server to receive ANY other internet mail, so I need to allow SMTP connections from Blackberry only. I googled around on the internets for a while until I came upon this page. I entered the IP ranges I found here into the default Virtual SMTP Server's accepted list, and lo and behold: it didn't work. So I thought to myself: SELF – why don't you check the logs! Avast! I found the address RIM is using! 204.187.87.60 It turns out it's nowhere on this list. An ARIN search for Research in Motion doesn't turn it up either. I'm thinking RIM is outsourcing or co locating the server. Maybe that's why it has been down a couple times in the last 6 months or so?
A whois of that address reveals that Kitchener-Waterloo Municipal Area Network owns the full Class C.
NetRange: 204.187.87.0 – 204.187.87.255
CIDR: 204.187.87.0/24
What's peculiar is that it is registered to Andy Toy – andy@toy.com – Toy.com seems to be a bogus site.. who knows..
September 16th, 2007 at 9:22 pm
Very odd. It is using RIM's nameservers, and the IP address resolves to MTPRelay11.na.blackberry.net. They could've been snapping up netblocks and expanding after the outage a few months ago, that's more inside information than I'd have.
September 19th, 2007 at 9:35 am
I've just installed a SPF record for our domain and I was worried about our CEO's and COO's Blackberry devices.
Fortunately it seems a non-issue since the email sent via the Blackberry devices here in germany has an envelope sender like this:
<bb-username>@mobileemail.vodafone.de (as shown in the MTA-added "Return-Path:" -header)
while the email headers contain a nice
"From: <username>@ourdomain"
Thus the SPF record is at most checked for the "mobileemail.vodafone.de" domain, am I right?
September 20th, 2007 at 3:45 am
Seems, I was almost right.
Some (insert you favourite curse names here) will use spf1 records and interpret them as "spf2.0/mfrom,pra" while they should at most be interpreted as "spf2.0/mfrom" records. It's not entirely their fault since the Sender ID specification is plain wrong in that point.
According to openspf.org the addition of an empty pra record ("… TXT spf2.0/pra") should avoid that, but at least one testing service out there ignored an empty "spf2.0/pra" record and only accepted it when changed to "spf2.0/pra ?all".
January 21st, 2008 at 8:21 pm
Corey — great update! I came across this looking to update an older entry of mine so I'm just linking here instead :)
January 27th, 2008 at 6:59 pm
Corey, thanks for this. I just noticed… shouldn't 206.51.26.0 – 206.51.26.255 be written as 206.51.26.0/24 in CIDR format? Any updates to RIMs outbound SMTP IP ranges? I'm in Hong Kong and checking the email headers from one of our BIS users in Aug 2007, the email was sent from 216.9.247.48 which falls within the range you listed (216.9.240.0/20). I'll have our BIS users in Singapore and mainland China send me some new test emails so I can check the IPs currently used. I'll report back any changes. Most of our 30+ BlackBerry users are using BES (via a hosted Exchange provider) but we still have a few BIS users in Singapore and China. Thanks again!
January 31st, 2008 at 4:12 pm
@Jay: Thanks!
@Derek Tom: Good catch, I've corrected the 206.51.26.0/24 record and added a note about the other markets that 216.9.240.0/20 might cover. I tried to gather some of the addresses that were listed as overseas RIM netblocks, but I'm not positive that I have them all, so any you have to add would be appreciated. Unsurprisingly I wasn't able to get much from RIM.
February 15th, 2008 at 12:04 pm
Jumping in here… Been trying to come up with an SPF that I can have full confidence in for my BIS users.
I agree with Corey's comment earlier that SRS theoretically makes listing Rim's servers unnecessary, but that assumes correct implementation on all receiving servers, so I am hesitant to trust this.
I had this idea, wondering what you all think:
—————————————
include:srs.bis.na.blackberry.com
—————————————
Presently, the SPF record for srs.bis.na.blackberry.com is as follows:
v=spf1 ip4:206.51.26.0/24 ip4:193.109.81.0/24 ip4:204.187.87.0/24 ip4:216.9.240.0/20 ip4:206.53.144.0/20 -all
Presumably, since this SPF is published by Rim, the netblocks will always be up to date.
Also, re international roaming, I just took a guess and pulled the SPF for "srs.bis.eu.blackberry". Note the "eu" for Europe, rather than "na" for North America. The net blocks are the same. To be sure, multiple Rim SPFs could be listed to cover the global regions (srs.bis.??.blackberry).
Opinions?
May 3rd, 2008 at 2:27 pm
A commenter over on my post found the BIS IP block:
http://fudge.org/2006/12/29/spf-records-for-blackberry-internet-service/#comment-56116
May 3rd, 2008 at 5:38 pm
That is a real find, thanks for posting it here Jay!
February 4th, 2009 at 8:55 am
Great find. I found this while trying to figure out why emails from a blackberry that sends as user@domain.com would not get through to some clients, but others would be fine. Those clients were checking SPF and our does not have this. Thanks again!
February 10th, 2009 at 11:06 am
After reading about SPF in multiple places including reading through the syntax at opensfp.org, it seems like Gerald's suggestion in an earlier comment of using
include:srs.bis.na.blackberry.comis the best solution as it includes the IP addresses mentioned in the article here plus has the potential of keeping my SPF record accurate if RIM makes a change. (Of course, some might need to consider srs.bis.eu.blackberry.com too.)However, as a searched the web for suggestions on dealing with BIS users, I found many references to using ip4 directives with the IP addresses but very few suggesting using that include.
Am I missing something? Is there some reason to not use the include instead of listing the RIM IPs?
February 18th, 2009 at 12:19 am
@Bill as long as RIM doesn't pull their SPF record you should be fine. At the time this was written they hadn't published a SPF record.
June 1st, 2009 at 12:41 pm
I am no telecommunications expert however I must manage the mail server of my small company. I am having a serious identity forging problem, today I received +100 messages of this kind, without considering the usual SPAM.
I am using Google Apps for my email service, all my MX records are set up correctly, however I have not included a SPF policy of any kind.
Our sales staff uses a lot Black Berry devices for receiving as well as sending email on a daily basis. I am having my doubts wheter including the SPF policy will block any mail sentthrough the BB devices.
I have found the following SPF policy on Google Apps support site:
v=spf1 include:aspmx.googlemail.com ~all
The question is, will this policy block emails sent through the BB's? Do I need to include something like include:srs.bis.na.blackberry.com do make it work?
By the way I am located in Ecuador South America.
Thank you for your help
February 24th, 2010 at 3:38 pm
Thank you! We've been using Google Apps for Education for a while and a few of my users just started Blackberries (even though they are not "officially" supported) and they were having trouble sending email. I'm not using SPF but I am using allowed sender ranges in Postini and this was the source of the problem. Once I added the RIM ranges to the allowed sender range in Postini, my Blackberry users could once again send email.
Thank you, thank you, thank you.
March 4th, 2010 at 2:51 am
This is great info but don't forget you still need to include Google or Postini's mail servers in the SPF statement otherwise your mail could be blocked when sending from the web.
I use postini so my SPF statement is:
v=spf1 ip4:207.126.144.0/20 ip4:64.18.0.0/20 ip4:74.125.148.0/22 ip4:216.9.240.0/20 ip4:206.51.26.0/24 include:_spf.google.com ~all
May 17th, 2010 at 9:35 am
[...] If you use Blackberry Internet Service and have seen delivery issues related to SPF records when using your own domain name or company domain name you should consider the following suggestions:Firewall and connection requirements for the BlackBerry Internet Service Corey Gilmore's Blog [...]