Valid SPF

At the moment the following spf is set for the domain which is sending email from exchange server.

v=spf1 mx a:mail.firstdomain.co.uk -all

What is wrong with this spf ? as when I send email i get SPF fail

Is mail.firstdomain.co.uk your exchange server ?

Nothing is wrong with it if mail.firstdomain.co.uk resolves back to the right IP address, or if MX contains the right IP address. Does it?

Chris

I guess that's a silly question really, because obviously you think it is :) I would double check the IP address used as outbound for the SMTP server though.

Perhaps send a mail to spf-test@openspf.org and see if that agrees with the rejection assessment. It'll return an NDR with the result of the test (whether you pass or fail).

Chris

mail.firstdomain.co.uk  is our exchange server and the IP also has the right PTR pointing back to mail.firstdomain.co.uk

firstdomain.co.uk has a valid mx record pointing to the right IP address.

Then I advise popping it into the spf-test mailbox and seeing what it responds with. There's nothing wrong with your SPF record if all the IP addresses are valid. I believe it responds with the IP address it saw connecting as well.

Chris

Your message did not reach some or all of the intended recipients.

      Subject:      test
      Sent:      12/17/2008 3:44 PM

The following recipient(s) could not be reached:

      spf-test@openspf.org on 12/17/2008 3:44 PM
            You do not have permission to send to this recipient.  For assistance, contact your system administrator.
            <mail.firstdomain.co.uk #5.7.1 smtp;550 5.7.1 <spf-test@openspf.org>: Recipient address rejected: SPF Tests: Mail-From Result="pass": Mail From="administrator@firstdomain.co.uk" HELO name="mail.firstdomain.co.uk" HELO Result="none" Remote IP="210.XX.YY.ZZ">

You can always use the wizard (available at http://www.openspf.org/) to create your spf records. There shouldn't be any error with such generated records.

They agree your SPF record is fine as well. Does it fail when sending to a specific recipient / server?

Chris

Could it be that the problem is at the remote site?
I've already seen the following situation:
Recipent has Mailserver A and backup mailserver B and employs SPF check.
A sender with valid SPF somehow fails to reach A and correctly sends to B instead.
B accepts because of valid SPF.
B tries to forward to A, but that fails because A's SPF check reveals that B is not an allowed sender for the senders domain.

The solution would be that A should not perfrom SPF checks for mails coming in via B.

@ chris: yes specific users,

I have another aol account, I tried to send a couples of email but didn't get it even i didn't get any bounceback or so.


When I send email from my own domain (pop3 account) from remote location, they get catch by gfi as SPF fails unless I put my own domain in whitelist but I dont wanna do that.

e.g: when I send from user@myfirstdomain.co.uk to anotheruser@myfirstdomain.co.uk (from pop3) it get caught by GFI as SPF fails

@ thehagman

as I have explain above I tried to aol but not sure whats happening.

> ... AOL ...

Are extremely difficult to troubleshoot, if you're having problems with the SPF change -all to ~all, or even +all for a while and take a look at the headers on messages that were previously failing.

Bear in mind that AOL take ages to update DNS changes so don't expect anything like immediate results. I'd allow anything up to two weeks for them which makes them a poor platform to test against.

> When I send email from my own domain (pop3 account) from remote location

What does it use as the SMTP server in that instance? Because if that SMTP server doesn't have permission to send as your address in the SPF it will reject the message.

Chris

Check here
http://www.squish.net/dnscheck/
if the TXT record for firstdomain.co.uk is ok (no different versions somehow available)
same for what's used in the record, i.e.
MX of firstdomain.co.uk
and
A of mail.firstdomain.co.uk

Has any of the entries been changed recently?

@ thehaqman

I checked the link and it's OK in all the boxes.

I have GFI installed and the SPF is set to low, when I send email from remote locate using one of my own domain account through pop3, it is blocked as the spf failed.

user1@myfirstdomain.co.uk ---->via pop3----> send email to---->user2@myfirstdomain.co.uk

Here is the header:

-------------------------------------------------------------------------
Microsoft Mail Internet Headers Version 2.0

Received: from mail pickup service by mail.firstdomain.co.uk with Microsoft SMTPSVC;

             Mon, 22 Dec 2008 14:16:58 +0000

x-endofinjectedxheaders:2812

Thread-Topic: user2@firstdomain.co.uk - Sender is forged (SPF Fail) - test15

X-GFIME-MASPAM: SPAM

Received: from remotepc ([182.RE.MO.TE]) by mail.firstdomain.co.uk with Microsoft SMTPSVC(6.0.3790.3959); Mon, 22 Dec 2008 14:16:57 +0000

From: "user1" <user1@firstdomain.co.uk>

To: <user2@firstdomain.co.uk>

Subject: user2@firstdomain.co.uk - Sender is forged (SPF Fail) - test15

Date: Mon, 22 Dec 2008 14:19:00 -0000

Message-ID: <063275E7A72A4844B81236BFD13797AB@domain.org>

MIME-Version: 1.0

Content-Type: multipart/alternative;

            boundary="----=_NextPart_000_0014_01C96440.3C485E30"

X-Mailer: Microsoft Office Outlook 11

thread-index: AclkQDt7xLsSp/6PdSiIstbHNhJ9GA==

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4325

Return-Path: <user1@firstdomain.co.uk>

X-OriginalArrivalTime: 22 Dec 2008 14:16:57.0663 (UTC) FILETIME=[F2D76CF0:01C9643F]

 

------=_NextPart_000_0014_01C96440.3C485E30

Content-Type: text/plain;

            charset="us-ascii"

Also my spf has changed to ~all from -all

There's no such thing as sending using POP3, doesn't happen. You can receive using POP3, but you must send using an SMTP server. This is important here because it looks to be the reason for failure during SMTP transport.

1. Either the SMTP server the client is using is attempting to delivery the mail as inbound and cannot because that SMTP server fails SPF. That is, it uses smtp.somedomain.co.uk for the Outgoing mail server.

e.g.

SMTP Client (Outlook / Outlook Express) -> Third SMTP Server -> mail.firstdomain.co.uk

Here Third SMTP Server must pass the SPF check, if it fails the mail will be rejected.

2. Or the client is being checked while trying to deliver directly to mail.firstdomain.co.uk. In which case the check fails because it's not listed as a valid sending system. That is, it uses mail.firstdomain.co.uk as the Outgoing mail server.

e.g.

SMTP Client (Outlook / Outlook Express) -> mail.firstdomain.co.uk

Here the SMTP Client must pass the SPF check, if it fails the mail will be rejected.

This occurs because there is no practical difference between a server submitting a message and a client submitting a message. To all intents and purposes they appear to be the same.

Chris

sorry chris, my bad, I think I didn't explain well what I mean. Basically I mean that I'm not in exchange mode I'm have setup a pop3 account for same domain and trying to send email to another user in same domain and I'm sure I'm using SMTP to send emails.


user1@firstdomain.co.uk---->SMTP----->user2@user1@firstdomain.co.uk

and when I disable Sender Policy Framework (SPF) checks in GFI, then it's fine.

Which SMTP Server are you using above? mail.firstdomain.co.uk?

Sorry, I think I'm just not quite explaining it properly. It requires a bit of a perspective shift this one.

SMTP Client and SMTP Server are loose terms. They describe, without any further thought, the roles of two systems having a conversation using SMTP. For instance, Exchange can act as both an SMTP Client (when it's sending mail) and an SMTP Server (when it's receiving). Outlook can act as an SMTP Client (when it's sending mail / delivering mail).

When we consider SPF we have to note that the SMTP Client, the system trying to submit a message, must pass the SPF rule if the rule is enforced. Considering the above, that the SMTP Client role is available to anyone, we should be able to see that any direct connection to mail.firstdomain.co.uk will be tested.

Effectively it sounds like you're using one of these scenarios (---SMTP---> is just a connection, not another server):

IP: 1.2.3.4                        IP: 1.2.3.5
MyOutlook   ---SMTP--->   MySMTPServer   ---SMTP--->   mail.firstdomain.co.uk
SPF Result: FAIL - IP 1.2.3.5 is not listed in SPF for sending as @firstdomain.co.uk

IP: 1.2.3.4
MyOutlook   ---SMTP--->   mail.firstdomain.co.uk
SPF Result: FAIL - IP 1.2.3.4 (even though it's the end user) is not listed in SPF for sending as @firstdomain.co.uk

That means you need a mechanism to bypass the SPF check when you're using a client from a remote site. The options would seem to be:

1. Create a VPN connection, connect directly to Exchange from Outlook.
2. Add a rule to GFI (if possible) to allow authenticated senders to send as @firstdomain.co.uk regardless of the SPF check.
3. Add another SMTP Server, either relay directly to Exchange or add it to the SPF record. Allow clients to relay (ideally using authentication).

Chris

this is getting more complicated for me as I can't create VPN for every user as they can connect from anywhere, with dynamic IP, I thought pop3/smtp would be easier.

I only want to [pop3/smtp] account to [receive/send] email using my exchange server.  

I do have the option for authenticated users  to relay through exchange server, there is no such option in gfi though.


I have another server with different domains but same settings, and users don't have such problem from remote location/IP.


sorry if I'm wrong here.

Are they actually connecting to your Exchange server as the SMTP server though? Or are they connecting to GFI?

If they connect to Exchange and authenticate there you'll be fine. However, if they connect to GFI they'll have to pass the SPF check.

Chris

GFI is installed on Exchange server so they only connect to one server.

that's the problem, once a user is authenticated successfully they should be able send email to different user in same domain, but here it's blocking by GFI as SPF fails, even I have the valid SPF if you check it above.

I know :) It's the valid SPF that's causing the problem because it's checking mail you don't want it to check.

Do the other systems you mentioned run GFI as well?

Chris

A picture is worth a thousand words ;-)

http://i41.tinypic.com/fu04zp.gif

In this case GFI is busily testing your POP3/SMTP client for SPF validity whenever you try and send. Damn silly thing to do because it really doesn't help much.

We need it to get around the GFI thing because that's where we're dying. But that runs on the same server?

Does the Default Virtual SMTP Server in Exchange still run on there?

/me never used GFI despite having a copy kicking around somewhere.

Chris

Yes GFI is installed on same Server

I'm wondering if you can make another Virtual SMTP Server in Exchange and use that. I see that GFI integrates quite heavily with the current server so it's probably a lost cause trying to get through that one unless it has an explicit option for remote users.

What to try the second SMTP server?

Chris

What should have been "want". Makes more sense that way..

Chris

at the moment GFI is binded with the default Virtual smtp server, If I make another one do I have to bind GFI with the new one?

Also will it bring any down time to the emails?

It would be nice if you didn't bind the new one to GFI if it's optional :)

We either need to make the new SMTP server using a new IP address (it will need a new Public IP as well), or a different (non-standard) port. I suspect non-standard port is easier for you?

Chris

Oh and it shouldn't incur any downtime if we do it right :)

Chris

Try this websites to accomplish your goals

1) create spf record using

http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/

2) add spf record to your dns

(here are guidelines on wesbite http://help.campaignmonitor.com/topic.aspx?t=128 )