Trouble with email / SPF record.

My company runs their own Exchange server inhouse and we also utilize Postini for our email filtering.  We host our external dns with an outside vendor, easydns.  We recently launched a new website which is being hosted at an offsite location.  When users go to this site they are able to fill out online forms and then click a submit button to have them sent to internal email accounts within my organization.  I have created 4 different groups in AD, then i added the users to those groups who should receive the messages from the online forms.  Then i sent a few emails from outside with my personal account to these groups and each user received the test.

When this outside webhost clicks on the submit button of these forms, it generates a message to be sent to the same group email address as i tested.  However, the difference here is that they are sent with the To and From addresses both containing valid email addresses from within my organization.  The thought here is that they will need an SPF record added to their DNS to allow the webhost's email server send to my email server while using a To and From address on the email that matches to a valid email address in my company.

I have created one SPF record, actually a TXT record as easy DNS will not allow you to create an SPF record they make you create a TXT record as the SPF record.  I added the info provided to me from my webhost, but there is nothing in there for Postini as i'm not sure if it's needed or what it should be.

Does anyone have any suggestions?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

First, note that SPF records are really just TXT records. That is how SPF is implemented. DNS itself knows nothing about SPF - email systems are written to check for TXT records in DNS that include properly formatted SPF information. So there's nothing unusual about easyDNS in that regard (I'm not personally familiar with easyDNS but from what you said, it's normal).

The whole point of SPF is that you publish a list of servers that are authorized to send email on behalf of your domain. This is useful for external people that you send mail to. If you route your outbound mail through Postini, their IP address ranges should be listed in your SPF record. If you don't route your outbound mail through postini, the IP addresses of your own outbound servers should be in the SPF record. You can call Postini Support to get the IP ranges they use for you (this information is also on their support website - note that the IP range might vary depending on which Postini system you are on so make sure you get the right stuff and just call them if you aren't sure).

Anytime you have an external service sending email on behalf of your domain, its IP addresses should also generally be added to the SPF record. In this particular case, though, it sounds like the external web service is only sending email to your own email system? If that's true, that's fine and you don't need to worry about adding the IPs of that external service to SPF because no one outside of your org will receive email from those IPs.

I recommend you use the very useful SPF setup wizard at to determine your SPF record.
QBRadAuthor Commented:
Ok, on easy dns i added the following info:

in the text box labeled host:

in the text box labeled text record: v=spf1 ip4:74.9.XXX.XXX ip4: ip4:66.228.XXX.XXX/32 a ptr ~all

I am still unable to get any email generated from these forms off my website.

Also should i enter ( or (IN TXT) or ( " " ) anywhere in the text record listed above?  I am not 100% sure of the syntax to be used.

Is there a specific error? Do you know where the message flow is breaking down? It may also be helpful to know what SMTP server is doing the sending on behalf of the web form.

I assume that the from: address needs to remain an internal email address...

You may be able to add an exception in the Postini control panel to allow messages sent from the web server IP and/or the internal email address to bypass SenderID.  If your SPF record appears to be functional everywhere other than sending from the web server then an exception may be the simplest solution.

Best regards-

The format of your SPF record looks correct.

However, I'm not convinced that is your problem. As I understand it, this external web site is supposed to be sending email messages to addresses at your domain but you aren't receiving them. Right? You don't own the external web site so you can't look at their logs to see what's happening and your MX points at Postini so you can't personally see that either. I think you're assuming that SPF is the issue but it could be any number of things.

Reading through everything again you mentioned that you've set both the From and the To to addresses in your domain. Postini is much more likely to block an email like that then they are to block an email from an IP that isn't in the SPF record. Spammers will frequently send mail to you from your same domain thinking the recipients will trust the mail since it appears to come from an internal domain.

I would start by whitelisting the external web site so that Postini will accept their mail regardless. The way to do this is ask the web site people for the IP addresses that emails are coming from and add those IPs as whitelisted on the SMTP Org in Postini. If you aren't sure how to do this, Postini support can do it for you or walk you through it. The other option is to try playing with the From address - pick an address that isn't your own domain but that won't be nearly as reliable.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
QBRadAuthor Commented:
Hey, thanks for your help guys.  This actually ended up being a problem with the company who is hosting our website.  I had originally thought that was the case to begin with, but they insisted that everything was right on their end and it must be us.  They had configured our website forms to use their email as if they were hosting our email for us since that's what most of their clients do.  However, we host and will continue to host our own exhange server.  So, they had to tell their servers to simply forward the email out to the internet and not do anything with it.  Then DNS and our exchange server do the rest.

Thanks for your help.  I'm awarding the points to Icky since he was the first to respond and gave an answer which was very close to the solution.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Software

From novice to tech pro — start learning today.