Information for Mail Server Managers

The Tax and Customs Administration of the Netherlands is continuously improving the systems to be able to send e-mails in a secure way and to combat phishing. Our goal is to provide the greatest possible certainty to the receiver that we are the real sender of the e-mail he receives from us.

Update 6 November 2018: changes to SPF records

At 6 November 2018, the Tax and Customs Administration has changed the SPF records (Sender Policy Framework) of the domains belastingdienst.nl, bdmuseum.nl and oswo.nl. The SPF records for these domains used to contain static IP addresses and hostnames. In the current SPF records we use various macros. These macros comply with RFC 7208. For further explanation on the use of macros, please read chapter 7 of the RFC. By making these changes, the Tax and Customs Administration follows the e-mail standards of the Dutch Standardisation Forum.

The current SPF record for the aforementioned domains are set up as follows:

v=spf1 exists:_i.%{i}._h.%{h}._o.%{o}._spf.belastingdienst.nl –all

The SPF record contains 3 macros. These macros request the following data from the sending mail server :

%{i}: The SMTP server IP address the e-mail has been send from
%{h}: HELO/EHLO from the domain the e-mail is originating from.
%{o}: The "MAIL FROM" domain or field or the “HELO” identity.

Changing receiving mail server settings

By improving the security of our sending mail servers it will be increasingly more difficult for malicious parties to send e-mails on behalf of the Tax and Customs Administration (spoofing). Unfortunately, these changes can also affect legitimate e-mails send by the Tax and Customs Administration’s mail server. E-mails may be rejected by the recipient or end up in his spam folder. To prevent this, please make sure to properly configure the receiving mail server settings for sender verification.

Error code (“NXDOMAIN”): mail server unknown

The receiving mail server sends a request to the Tax and Customs Administration’s DNS server whether or not the sending mail server is permitted to send e-mails on behalf of the Tax and Customs Administration. The Tax and Customs Administration’s DNS server then verifies if the sending mail server exists in the Tax and Customs Administration’s DNS server. If this is not the case, the receiving mail server will receive the error code (“NXDOMAIN”) from the Tax and Customs Administration’s DNS server. This message means the sending mail server is not allowed to send e-mail on behalf of the Tax and Customs Administration and that you are most probably dealing with a case of phishing mail or another security attack.

Issues with HELO/EHLO verification

The Tax and Customs Administration notes regularly that receiving mail servers have not set up their HELO/EHLO verification properly. The legitimate sending mail servers receive many ‘SPF Fail’ messages. This indicates configuration issues of the receiving mail server.

Better verification of sending mail servers

The RFC standards require verification of receiving e-mail based on
• SPF or DKIM (Domain Keys Identified Mail), and
• DMARC (Domain-based Message Authentication, Reporting & Conformance).

These authentication checks improve e-mail reliability, security and deliverability. Make sure your receiving mail servers have the appropriate configuration. Using more then one verification method for sending mail servers will increase e-mail classification accuracy.

Javascript is disabled in this web browser. You must activate Javascript in order to view this website.