[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1592
  • Last Modified:

Receiving Ndr from domains using Spf but we have a valid Spf record

Hello

I was getting Ndr's from domains using Spf (by the way we relay through websense) so we have now configured an Spf Dns record to allow mail to be sent from our mail server. This I believe should have fixed the problem and the record is configured as follows:
v=spf1 a mx a:cluster-a.mailcontrol.com a:[external hostname] -all
but now when I test it from http://www.openspf.org/Why I get the following:
The domain [domain name] has authorized [external hostname] (IP Address) to send mail on its behalf, so the message should have been accepted. It is impossible for us to say why it was rejected.

Can anyone help with this please?

Configuration:
Domain with Windows Server 2003 R2 and Exchange 2007
All mail relayed out through smarthost (problem is only with domains that use Spf checks)

Many Thanks

Liam


0
Andrew Lee
Asked:
Andrew Lee
  • 2
  • 2
  • 2
1 Solution
 
Point-In-CyberspaceCommented:
Do you have reverse dns for the external ip address set ?

Go to dnsstuff.com and make some tests


0
 
Andrew LeeManaging DirectorAuthor Commented:
Yes, reverse dns is set correctly.....
0
 
Point-In-CyberspaceCommented:
You said that the relay is through smarthost and you are using websense as your frontend to internet.

Try to modify your spf record with:


v=spf1 ip4:<your EXTERNAL subnet range and mask> -all

where in the <..> you have to put the external ip address range used by your mail servers e.g. 150.40.20.16/30

You colud try to set a unique ip address but, as i can see, it is a cluster so you cannot be sure which node (and which address) will be used.



0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
tymesCommented:
Well, why don't you ask websense aka mailcontrol.com?  They should have an easy to find faq answer or something on their website... hmm... nah not so much.

You don't need "a" (as it probably points to your website and not properly configured) also you don't need your external hostname as websense should ignore this with SMTP-AUTH or something -- it just hides you better by not publishing your actually server location.  But what do you need...?

Well, looking quickly and I didn't find anything on websense stupid website, I'd next ask why are you sure you use cluster-a.mailcontrol.com  and not cluster-f.mailcontrol.com  or cluster-h.mailcontrol.com  or presumably any of the others?  Looking through my own logs I find those few domains using mailcontrol.com tend to stick to g and h but bounce around using a-h (and no domain in the past month I found using mailcontrol have SPF records -- not even standardbank.com).

anyways, next I would look at the SPF record for websense (big) and then mailcontrol and so I would guess:
"v=spf1 mx include:mailcontrol.com -all"

include:mailcontrol.com currently includes:
"v=spf1 a:cluster-abdefghjkm.mailcontrol.com a:cluster-y.mailcontrol.com a:cluster-z.mailcontrol.com ip4:85.115.32.0/19 ip4:86.111.216.0/21 ip4:116.50.56.0/21 ip4:208.87.232.0/21 ~all"

but if you did't want to include those large subnets in the main mailcontrol include then you can maybe just just use:

"v=spf1 mx a:cluster-abcdefghjkm.mailcontrol.com -all"

as they created cluster-abcdefghijkl so that it includes cluster-a cluster-b etc which should correspond to the IP addresses of your smarthost...  You should really just determine what IP addresses you are really using and the IP addresses should be found somewhere in the bounced messages.
0
 
Andrew LeeManaging DirectorAuthor Commented:
Thanks for the detailed reply tymes. I actually got this working with the following spf record:

v=spf1 mx include:mailcontrol.com a:[external hostname for my domain] ~all

Not sure whether or not I need my domain in there but it is working so i am going to leave it..... :)

Thanks

Liam
0
 
tymesCommented:
Well ~all is not restrictive...  You should try getting -all to work otherwise it doesn't really matter as much... And If you tried -all it should work still work with the expanded definition we found for mailcontrol.com servers.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

  • 2
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now