Information for Mail Server Managers
The Tax Administration of the Netherlands is continuously improving the systems to be able to send e-mails in a secure way and to combat phishing. Our goal is to provide the greatest possible certainty to the receiver that we are the real sender of the e-mail he receives from us.
SPF records
The SPF-records (Sender Policy Framework) for the domains belastingdienst.nl and bdmuseum.nl have fixed IP-addresses and host names. We use various macros in the SPF records. These macros are in conformity with RFC 7208. A more detailed explanation of the macros is given in chapter 7 of the RFC. The Tax Administration acts in accordance with the e-mail standards of the Standardisation Forum (Forum Standaardisatie).
Current SPF record
The current SPF record for the aforementioned domains is set up as follows:
v=spf1 exists:_i.%{i}._h.%{h}._o.%{o}._spf.belastingdienst.nl –all
The SPF record contains 3 macros. These macros request the following data from the sending mail server :
%{i}: The SMTP server IP address the e-mail has been send from
%{h}: HELO/EHLO from the domain the e-mail is originating from.
%{o}: The "MAIL FROM" domain or field or the “HELO” identity.
Tax Administration mail servers
We use the following mail servers to send e-mail:
Hostname | IPv4 Address | IPv6 Address |
---|---|---|
smtp1.belastingdienst.nl | 85.159.97.15 | 2a04:9a01:1002:4::2/64 |
smtp2.belastingdienst.nl | 85.159.101.15 | 2a04:9a01:1002:4::3/64 |
smtp11.belastingdienst.nl | 85.159.100.246 | |
smtp12.belastingdienst.nl | 85.159.97.246 | |
mailer1.belastingdienst.nl | 85.159.96.4 | |
mailer2.belastingdienst.nl | 85.159.100.4 |
You can use this data if your mail server does not support SPF with macros, for example. If SPF with macros is not supported, this will in many cases lead to an SPF Hardfail.
If you decide to use the data given above, we advise you to regularly check our website for updates. We also advise you to contact the supplier of your e-mail solution and request support for SPF with macros.
Changing receiving mail server settings
By improving the security of our sending mail servers it will be increasingly more difficult for malicious parties to send e-mails on behalf of the Tax Administration (spoofing). Unfortunately, these changes can also affect legitimate e-mails send by the Tax Administration’s mail server. E-mails may be rejected by the recipient or end up in his spam folder. To prevent this, please make sure to properly configure the receiving mail server settings for sender verification.
Error code 'NXDOMAIN': mail server unknown
The receiving mail server sends a request to the Tax Administration’s DNS server whether or not the sending mail server is permitted to send e-mails on behalf of the Tax Administration. The Tax Administration’s DNS server then verifies if the sending mail server exists in the Tax Administration’s DNS server. If this is not the case, the receiving mail server will receive the error code 'NXDOMAIN' from the Tax Administration’s DNS server. This message means the sending mail server is not allowed to send e-mail on behalf of the Tax Administration and that you are most probably dealing with a case of phishing mail or another security attack.
Issues with HELO/EHLO verification
The Tax Administration notes regularly that receiving mail servers have not set up their HELO/EHLO verification properly. The legitimate sending mail servers receive many 'SPF Fail' messages. This indicates configuration issues of the receiving mail server.
Better verification of sending mail servers
The RFC standards require verification of receiving e-mail based on
- SPF or DKIM (Domain Keys Identified Mail), and
- DMARC (Domain-based Message Authentication, Reporting & Conformance)
These authentication checks improve e-mail reliability, security and deliverability. Make sure your receiving mail servers have the appropriate configuration. Using more then one verification method for sending mail servers will increase e-mail classification accuracy.