SPF problem

My email server is mail.wbu.edu.  Whenever we try to send to a particular email domain we are getting undeliverables.  We are trying to send to moody.edu.  The error we are getting is below.

You do not have permission to send to this recipient.  For assistance, contact your system administrator.
            <mail.wbu.edu #5.7.1 smtp;550 5.7.1 <resnetcon@moody.edu>... HELO mail.wbu.edu from 216.63.140.23 SPF result Fail; >
LVL 1
marrjAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Matthew MillersCommented:
The remote mail server is checking for SPF records in DNS for you domain. Basically SPF (sender protection framework) allows you to enter allowed mail servers for your domain within your external zone for your domain.

Is your external DNS being hosted by a thirdparty? You may want to speak to them and have them add appropriate SPF records for your zone.
Here are some resources:

http://old.openspf.org/howworks.html
http://old.openspf.org/faq.html
http://old.openspf.org/dns.html
http://old.openspf.org/wizard.html
0
marrjAuthor Commented:
My external DNS is hosted by a server here, and SWBELL.net.   I've cut and pasted the zone file from SWBELL.net's DNS server for my domain.  This domain is the only one we are having a problem with.

; <<>> DiG 9.2.2-P3 <<>> @ns1.swbell.net wbu.edu AXFR ;; global options:  printcmd
wbu.edu.            86400      IN      SOA      ns1.swbell.net.
postmaster.swbell.net. 2007121701 10800 900 604800 86400
wbu.edu.            172800      IN      NS      ns1.swbell.net.
wbu.edu.            172800      IN      NS      ns2.swbell.net.
wbu.edu.            86400      IN      A      216.63.140.120
wbu.edu.            86400      IN      TXT      "v=spf1" "a" "mx"
"include:hotmail.com" "~all"
wbu.edu.            86400      IN      MX      10 mail.wbu.edu.
wbu.edu.            86400      IN      MX      20 wbusa.wbu.edu.
wbusa.wbu.edu.            86400      IN      TXT      "v=spf1 a -all"
wbusa.wbu.edu.            86400      IN      A      66.136.56.3
virtualcampus.wbu.edu.      86400      IN      A      216.63.140.67
lbk.wbu.edu.            86400      IN      A      216.63.140.90
smtpa.wbu.edu.            86400      IN      TXT      "v=spf1 a -all"
smtpa.wbu.edu.            86400      IN      A      216.63.140.23
smtpb.wbu.edu.            86400      IN      TXT      "v=spf1 a -all"
smtpb.wbu.edu.            86400      IN      A      216.63.140.26
academic.wbu.edu.      86400      IN      A      24.173.88.34
ns.wbu.edu.            86400      IN      A      216.63.140.124
mail.wbu.edu.            86400      IN      TXT      "v=spf1 a -all"
mail.wbu.edu.            86400      IN      A      216.63.140.70
library.wbu.edu.      86400      IN      A      216.63.140.60
info.wbu.edu.            86400      IN      A      66.136.56.5
satx.wbu.edu.            86400      IN      A      66.136.56.4
pop3.wbu.edu.            86400      IN      TXT      "v=spf1 a -all"
pop3.wbu.edu.            86400      IN      A      216.63.140.95
support.wbu.edu.      86400      IN      A      216.63.140.100
sa.wbu.edu.            86400      IN      A      66.136.56.2
www.sa.wbu.edu.            86400      IN      A      66.136.56.2
webmail.wbu.edu.      86400      IN      A      216.63.140.95
content.wbu.edu.      86400      IN      A      216.63.140.83
give.wbu.edu.            86400      IN      A      216.63.140.25
tms.wbu.edu.            86400      IN      A      216.63.140.54
ns2.wbu.edu.            86400      IN      A      216.63.140.125
pcr.wbu.edu.            86400      IN      A      216.63.140.49
students.wbu.edu.      86400      IN      A      66.136.56.8
email.wbu.edu.            86400      IN      CNAME      mail.live.com.
pfweb.wbu.edu.            86400      IN      A      216.63.140.100
sawbu.wbu.edu.            86400      IN      A      66.136.56.10
yellowstone.wbu.edu.      86400      IN      A      216.63.140.119
sife.wbu.edu.            86400      IN      A      216.63.140.60
iqweb.wbu.edu.            86400      IN      A      216.63.140.100
graphs.wbu.edu.            86400      IN      A      216.63.140.122
wbufilter.wbu.edu.      86400      IN      A      216.63.140.70
sacsreview.wbu.edu.      86400      IN      A      216.63.140.61
bookstore.wbu.edu.      86400      IN      CNAME
wayland.thecampushub.com.
meter.wbu.edu.            86400      IN      A      216.63.140.122
pcts.wbu.edu.            86400      IN      A      216.63.140.96
pcts.wbu.edu.            86400      IN      A      216.63.140.97
www.wbu.edu.            86400      IN      A      216.63.140.120
apply.wbu.edu.            86400      IN      A      216.63.140.68
wayland.wbu.edu.      86400      IN      TXT      "v-spf1
include:hotmail.com ~all"
wayland.wbu.edu.      86400      IN      MX      10 pamx1.hotmail.com.
wayland.wbu.edu.      86400      IN      A      65.54.247.8
plainview.wbu.edu.      86400      IN      A      216.63.140.1
ftp.wbu.edu.            86400      IN      A      216.63.140.2
wbu.edu.            86400      IN      SOA      ns1.swbell.net.
postmaster.swbell.net. 2007121701 10800 900 604800 86400 ;; Query time: 277 msec ;; SERVER: 151.164.1.1#53(ns1.swbell.net) ;; WHEN: Tue Dec 18 06:17:59 2007 ;; XFR size: 56 records
0
Matthew MillersCommented:
It could possibly be that the records in DNS is
mail.wbu.edu.            86400      IN      A      216.63.140.70

But your mail server is being natted to  (can you confirm this?)
216.63.140.23

Is it possible for you to create a outbound NAT rule to force connections from your mail server to use a source IP matching the A record?

0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

marrjAuthor Commented:
I don't think that is the problem.  mail.wbu.edu is our exchange front end server, in the DMZ, with a static NAT translation to 216.63.140.70.  

From what the error is, it does seem to be a problem with us?  They can send fine to wbu.edu.  Is it possible that we are blacklisted on moody.edu's side?  How about our email filter, we are using SUrfcontrol.
0
Matthew MillersCommented:
I dont think the outbound NAT is working as you expect...can you do the following:

telnet smtp.moody.edu 25
helo mail.wbu.edu

It is very slow so it takes a while. What does 250 response does it come back with?

The problem is this, the destination have some strick SPF checking, if the SPF check fails, then it appears they drop the message.
0
marrjAuthor Commented:
This is the result.
220 Moody ESMTP Bible Institute Mail Proxy 1.0
helo mail.wbu.edu
250 mailgw.moody.edu Hello pop3.wbu.edu [216.63.140.95], pleased to meet you
0
Matthew MillersCommented:
250 mailgw.moody.edu Hello pop3.wbu.edu [216.63.140.95], pleased to meet you
That is different from what you detailed above.
Can you have a look at my profile and send me an email please?
0
marrjAuthor Commented:
Email sent.  Let me know if you don't receive it.
0
Matthew MillersCommented:
Received: from unknown (HELO mail.wbu.edu) (216.63.140.23)
*** it appears that your mail.wbu.edu is nat NATing properly (connected as 23 not 70)

Received-SPF: softfail (0: transitioning SPF record at spf-d.hotmail.com does not designate 216.63.140.23 as permitted sender)

I think the problem is with your SPF record in general...
You have a reference to hotmail.com which i dont think should be there.

Have a look at the wizard i listed above, and use that to generate a record, should be something like:
v=spf1 a mx ~all

Indicates version1 SPF
Default record in zone can email for domain
MX for domain can email for domain
~all - specifies that these are all the mail servers which can email for domain
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
marrjAuthor Commented:
I think the hotmail reference is because we have Windows Live accounts, which are hosted by hotmail, with a domain wayland.wbu.edu, and they were having problems sending to those from wbu.edu.  Way before my time.

The setup, I think I told you incorrectly.  140.70 is our email filter, our Exchange Front end server is 140.95.  

I don't know why something resolved to 140.23.  I'm not sure why those are even accessible to the outside.

Kevin
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Protocols

From novice to tech pro — start learning today.