This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

I need to create an RBL exception for hubspot, but they suggest using a DNS which resolves to a TXT record. Can I whitelist based on a TXT DNS?

shared.hubspot.com resolves as:

 

v=spf1 include:shared1.hubspot.com ip4:52.5.15.199
ip4:52.55.8.97 ip4:54.174.52.224/30 ip4:54.174.52
.92/31 ip4:54.174.52.8/31 ip4:54.174.52.64/31 ip4:
54.174.52.84/31 ip4:54.174.52.88/31 ip4:54.174.52.
96/31 ip4:54.174.52.128/31 ip4:54.174.52.216/31 ip
4:54.174.52.220/31 ip4:54.174.52.172/31 ip4:54.174
.52.180/31 ip4:54.174.52.184/31 ip4:54.174.52.176/
31 ip4:54.174.52.132/31 ip4:52.203.58.221 ip4:52.5
4.88.164 -all

 

Is it possible to create an RBL exception for these sources using the DNS lookup?

 



This thread was automatically locked due to age.
Parents
  • So they are routinely blacklisted as spammers, but your organization wants to put your own reputation in their hands by using tem to send email on your behalf?  Not my recommendation.

    Rbl lists are implementrd using dns, so in theory you could creste an override in your dns system, and then point utm to that override.  I don't  think utm does txt records.   And if you make a mistake you might let in real spam.

    The problem with sender domain exceptions us that it applies to both the domain and any fraudulent mail asserting the same identity.   IP exceptions are safer.  On the other hand, you have to consider that an ip whitelist allows snything sent from those servers for any domain, and oerhaps some of that mail is more woorisome than mail falsely claiming to be from hotspot.com

  • Yes, not my recommendation either, but such is IT.    I've settled on BAlfson's recommendation of just an RBL exception for senders as *@*.shared.hubspot.com which will allow my marketing people who use the hubspot servers to at least receive emails when the random server they use for deliver is on an RBL.  I'm only keeping 30 days of logs, but I'm seeing 6% of the delivery attempts hubspot is making come up as dropped due to RBL in the last 30 days. 

    Why do cloud companies use tens or even hundreds of different IPs to deliver mail for single domains?

Reply
  • Yes, not my recommendation either, but such is IT.    I've settled on BAlfson's recommendation of just an RBL exception for senders as *@*.shared.hubspot.com which will allow my marketing people who use the hubspot servers to at least receive emails when the random server they use for deliver is on an RBL.  I'm only keeping 30 days of logs, but I'm seeing 6% of the delivery attempts hubspot is making come up as dropped due to RBL in the last 30 days. 

    Why do cloud companies use tens or even hundreds of different IPs to deliver mail for single domains?

Children
  • I bet that information might make hubspot change suppliers.  I bet their customers would not like knowing that 6% of the emails they pay for are blocked by blacklists.

    Jason, I don't think *@*.shared.hubspot.com will work with that second * in there.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Using many servers will distribute tbe workload geographically, providing resilience against network bottlenecks.

    Web search results say that they are a Customer Relationship Management system for inbound marketing.   So it is odd that they have a problem with outbound mail.  

    They may be getting into trouble by sending mail on their clients behalf without coordinating to ensure that the client SPF, DKIM, and DMARC policies permit them to do so.   This is an easy mistake to avoid and would be odd for a tech marketing company.  But I have seen it occur before with business partners that should have known better.

    It is also easy to monitor RBLs to see if you have been blacklisted.   If a particular client mail creates problems, they should be able to detect it quickly and fail over to a different server, and/or separate clients between servers.

    It is absolutely the sender's job to avoid blacklisting to ensure that their email goes through.   If a tech marketing company cannot do this, they have a big problem.