Receiving Ndr from domains using Spf but we have a valid Spf record


I was getting Ndr's from domains using Spf (by the way we relay through websense) so we have now configured an Spf Dns record to allow mail to be sent from our mail server. This I believe should have fixed the problem and the record is configured as follows:
v=spf1 a mx a:[external hostname] -all
but now when I test it from I get the following:
The domain [domain name] has authorized [external hostname] (IP Address) to send mail on its behalf, so the message should have been accepted. It is impossible for us to say why it was rejected.

Can anyone help with this please?

Domain with Windows Server 2003 R2 and Exchange 2007
All mail relayed out through smarthost (problem is only with domains that use Spf checks)

Many Thanks


Andrew LeeManaging DirectorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Do you have reverse dns for the external ip address set ?

Go to and make some tests

Andrew LeeManaging DirectorAuthor Commented:
Yes, reverse dns is set correctly.....
You said that the relay is through smarthost and you are using websense as your frontend to internet.

Try to modify your spf record with:

v=spf1 ip4:<your EXTERNAL subnet range and mask> -all

where in the <..> you have to put the external ip address range used by your mail servers e.g.

You colud try to set a unique ip address but, as i can see, it is a cluster so you cannot be sure which node (and which address) will be used.

Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

Well, why don't you ask websense aka  They should have an easy to find faq answer or something on their website... hmm... nah not so much.

You don't need "a" (as it probably points to your website and not properly configured) also you don't need your external hostname as websense should ignore this with SMTP-AUTH or something -- it just hides you better by not publishing your actually server location.  But what do you need...?

Well, looking quickly and I didn't find anything on websense stupid website, I'd next ask why are you sure you use  and not  or  or presumably any of the others?  Looking through my own logs I find those few domains using tend to stick to g and h but bounce around using a-h (and no domain in the past month I found using mailcontrol have SPF records -- not even

anyways, next I would look at the SPF record for websense (big) and then mailcontrol and so I would guess:
"v=spf1 mx -all" currently includes:
"v=spf1 ip4: ip4: ip4: ip4: ~all"

but if you did't want to include those large subnets in the main mailcontrol include then you can maybe just just use:

"v=spf1 mx -all"

as they created cluster-abcdefghijkl so that it includes cluster-a cluster-b etc which should correspond to the IP addresses of your smarthost...  You should really just determine what IP addresses you are really using and the IP addresses should be found somewhere in the bounced messages.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Andrew LeeManaging DirectorAuthor Commented:
Thanks for the detailed reply tymes. I actually got this working with the following spf record:

v=spf1 mx a:[external hostname for my domain] ~all

Not sure whether or not I need my domain in there but it is working so i am going to leave it..... :)


Well ~all is not restrictive...  You should try getting -all to work otherwise it doesn't really matter as much... And If you tried -all it should work still work with the expanded definition we found for servers.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.