Receiving Ndr from domains using Spf but we have a valid Spf record


I was getting Ndr's from domains using Spf (by the way we relay through websense) so we have now configured an Spf Dns record to allow mail to be sent from our mail server. This I believe should have fixed the problem and the record is configured as follows:
v=spf1 a mx a:[external hostname] -all
but now when I test it from I get the following:
The domain [domain name] has authorized [external hostname] (IP Address) to send mail on its behalf, so the message should have been accepted. It is impossible for us to say why it was rejected.

Can anyone help with this please?

Domain with Windows Server 2003 R2 and Exchange 2007
All mail relayed out through smarthost (problem is only with domains that use Spf checks)

Many Thanks


Andrew LeeManaging DirectorAsked:
Who is Participating?
tymesConnect With a Mentor Commented:
Well, why don't you ask websense aka  They should have an easy to find faq answer or something on their website... hmm... nah not so much.

You don't need "a" (as it probably points to your website and not properly configured) also you don't need your external hostname as websense should ignore this with SMTP-AUTH or something -- it just hides you better by not publishing your actually server location.  But what do you need...?

Well, looking quickly and I didn't find anything on websense stupid website, I'd next ask why are you sure you use  and not  or  or presumably any of the others?  Looking through my own logs I find those few domains using tend to stick to g and h but bounce around using a-h (and no domain in the past month I found using mailcontrol have SPF records -- not even

anyways, next I would look at the SPF record for websense (big) and then mailcontrol and so I would guess:
"v=spf1 mx -all" currently includes:
"v=spf1 ip4: ip4: ip4: ip4: ~all"

but if you did't want to include those large subnets in the main mailcontrol include then you can maybe just just use:

"v=spf1 mx -all"

as they created cluster-abcdefghijkl so that it includes cluster-a cluster-b etc which should correspond to the IP addresses of your smarthost...  You should really just determine what IP addresses you are really using and the IP addresses should be found somewhere in the bounced messages.
Do you have reverse dns for the external ip address set ?

Go to and make some tests

Andrew LeeManaging DirectorAuthor Commented:
Yes, reverse dns is set correctly.....
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

You said that the relay is through smarthost and you are using websense as your frontend to internet.

Try to modify your spf record with:

v=spf1 ip4:<your EXTERNAL subnet range and mask> -all

where in the <..> you have to put the external ip address range used by your mail servers e.g.

You colud try to set a unique ip address but, as i can see, it is a cluster so you cannot be sure which node (and which address) will be used.

Andrew LeeManaging DirectorAuthor Commented:
Thanks for the detailed reply tymes. I actually got this working with the following spf record:

v=spf1 mx a:[external hostname for my domain] ~all

Not sure whether or not I need my domain in there but it is working so i am going to leave it..... :)


Well ~all is not restrictive...  You should try getting -all to work otherwise it doesn't really matter as much... And If you tried -all it should work still work with the expanded definition we found for servers.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.