SPF problem

My email server is mail.wbu.edu.  Whenever we try to send to a particular email domain we are getting undeliverables.  We are trying to send to moody.edu.  The error we are getting is below.

You do not have permission to send to this recipient.  For assistance, contact your system administrator.
            <mail.wbu.edu #5.7.1 smtp;550 5.7.1 <resnetcon@moody.edu>... HELO mail.wbu.edu from SPF result Fail; >
Who is Participating?
Matthew MillersConnect With a Mentor Commented:
Received: from unknown (HELO mail.wbu.edu) (
*** it appears that your mail.wbu.edu is nat NATing properly (connected as 23 not 70)

Received-SPF: softfail (0: transitioning SPF record at spf-d.hotmail.com does not designate as permitted sender)

I think the problem is with your SPF record in general...
You have a reference to hotmail.com which i dont think should be there.

Have a look at the wizard i listed above, and use that to generate a record, should be something like:
v=spf1 a mx ~all

Indicates version1 SPF
Default record in zone can email for domain
MX for domain can email for domain
~all - specifies that these are all the mail servers which can email for domain
Matthew MillersCommented:
The remote mail server is checking for SPF records in DNS for you domain. Basically SPF (sender protection framework) allows you to enter allowed mail servers for your domain within your external zone for your domain.

Is your external DNS being hosted by a thirdparty? You may want to speak to them and have them add appropriate SPF records for your zone.
Here are some resources:

marrjAuthor Commented:
My external DNS is hosted by a server here, and SWBELL.net.   I've cut and pasted the zone file from SWBELL.net's DNS server for my domain.  This domain is the only one we are having a problem with.

; <<>> DiG 9.2.2-P3 <<>> @ns1.swbell.net wbu.edu AXFR ;; global options:  printcmd
wbu.edu.            86400      IN      SOA      ns1.swbell.net.
postmaster.swbell.net. 2007121701 10800 900 604800 86400
wbu.edu.            172800      IN      NS      ns1.swbell.net.
wbu.edu.            172800      IN      NS      ns2.swbell.net.
wbu.edu.            86400      IN      A
wbu.edu.            86400      IN      TXT      "v=spf1" "a" "mx"
"include:hotmail.com" "~all"
wbu.edu.            86400      IN      MX      10 mail.wbu.edu.
wbu.edu.            86400      IN      MX      20 wbusa.wbu.edu.
wbusa.wbu.edu.            86400      IN      TXT      "v=spf1 a -all"
wbusa.wbu.edu.            86400      IN      A
virtualcampus.wbu.edu.      86400      IN      A
lbk.wbu.edu.            86400      IN      A
smtpa.wbu.edu.            86400      IN      TXT      "v=spf1 a -all"
smtpa.wbu.edu.            86400      IN      A
smtpb.wbu.edu.            86400      IN      TXT      "v=spf1 a -all"
smtpb.wbu.edu.            86400      IN      A
academic.wbu.edu.      86400      IN      A
ns.wbu.edu.            86400      IN      A
mail.wbu.edu.            86400      IN      TXT      "v=spf1 a -all"
mail.wbu.edu.            86400      IN      A
library.wbu.edu.      86400      IN      A
info.wbu.edu.            86400      IN      A
satx.wbu.edu.            86400      IN      A
pop3.wbu.edu.            86400      IN      TXT      "v=spf1 a -all"
pop3.wbu.edu.            86400      IN      A
support.wbu.edu.      86400      IN      A
sa.wbu.edu.            86400      IN      A
www.sa.wbu.edu.            86400      IN      A
webmail.wbu.edu.      86400      IN      A
content.wbu.edu.      86400      IN      A
give.wbu.edu.            86400      IN      A
tms.wbu.edu.            86400      IN      A
ns2.wbu.edu.            86400      IN      A
pcr.wbu.edu.            86400      IN      A
students.wbu.edu.      86400      IN      A
email.wbu.edu.            86400      IN      CNAME      mail.live.com.
pfweb.wbu.edu.            86400      IN      A
sawbu.wbu.edu.            86400      IN      A
yellowstone.wbu.edu.      86400      IN      A
sife.wbu.edu.            86400      IN      A
iqweb.wbu.edu.            86400      IN      A
graphs.wbu.edu.            86400      IN      A
wbufilter.wbu.edu.      86400      IN      A
sacsreview.wbu.edu.      86400      IN      A
bookstore.wbu.edu.      86400      IN      CNAME
meter.wbu.edu.            86400      IN      A
pcts.wbu.edu.            86400      IN      A
pcts.wbu.edu.            86400      IN      A
www.wbu.edu.            86400      IN      A
apply.wbu.edu.            86400      IN      A
wayland.wbu.edu.      86400      IN      TXT      "v-spf1
include:hotmail.com ~all"
wayland.wbu.edu.      86400      IN      MX      10 pamx1.hotmail.com.
wayland.wbu.edu.      86400      IN      A
plainview.wbu.edu.      86400      IN      A
ftp.wbu.edu.            86400      IN      A
wbu.edu.            86400      IN      SOA      ns1.swbell.net.
postmaster.swbell.net. 2007121701 10800 900 604800 86400 ;; Query time: 277 msec ;; SERVER: ;; WHEN: Tue Dec 18 06:17:59 2007 ;; XFR size: 56 records
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

Matthew MillersCommented:
It could possibly be that the records in DNS is
mail.wbu.edu.            86400      IN      A

But your mail server is being natted to  (can you confirm this?)

Is it possible for you to create a outbound NAT rule to force connections from your mail server to use a source IP matching the A record?

marrjAuthor Commented:
I don't think that is the problem.  mail.wbu.edu is our exchange front end server, in the DMZ, with a static NAT translation to  

From what the error is, it does seem to be a problem with us?  They can send fine to wbu.edu.  Is it possible that we are blacklisted on moody.edu's side?  How about our email filter, we are using SUrfcontrol.
Matthew MillersCommented:
I dont think the outbound NAT is working as you expect...can you do the following:

telnet smtp.moody.edu 25
helo mail.wbu.edu

It is very slow so it takes a while. What does 250 response does it come back with?

The problem is this, the destination have some strick SPF checking, if the SPF check fails, then it appears they drop the message.
marrjAuthor Commented:
This is the result.
220 Moody ESMTP Bible Institute Mail Proxy 1.0
helo mail.wbu.edu
250 mailgw.moody.edu Hello pop3.wbu.edu [], pleased to meet you
Matthew MillersCommented:
250 mailgw.moody.edu Hello pop3.wbu.edu [], pleased to meet you
That is different from what you detailed above.
Can you have a look at my profile and send me an email please?
marrjAuthor Commented:
Email sent.  Let me know if you don't receive it.
marrjAuthor Commented:
I think the hotmail reference is because we have Windows Live accounts, which are hosted by hotmail, with a domain wayland.wbu.edu, and they were having problems sending to those from wbu.edu.  Way before my time.

The setup, I think I told you incorrectly.  140.70 is our email filter, our Exchange Front end server is 140.95.  

I don't know why something resolved to 140.23.  I'm not sure why those are even accessible to the outside.

All Courses

From novice to tech pro — start learning today.