Receiving Ndr from domains using Spf but we have a valid Spf record

Posted on 2008-11-07
Last Modified: 2012-05-05

I was getting Ndr's from domains using Spf (by the way we relay through websense) so we have now configured an Spf Dns record to allow mail to be sent from our mail server. This I believe should have fixed the problem and the record is configured as follows:
v=spf1 a mx a:[external hostname] -all
but now when I test it from I get the following:
The domain [domain name] has authorized [external hostname] (IP Address) to send mail on its behalf, so the message should have been accepted. It is impossible for us to say why it was rejected.

Can anyone help with this please?

Domain with Windows Server 2003 R2 and Exchange 2007
All mail relayed out through smarthost (problem is only with domains that use Spf checks)

Many Thanks


Question by:laratech
    LVL 8

    Expert Comment

    Do you have reverse dns for the external ip address set ?

    Go to and make some tests


    Author Comment

    Yes, reverse dns is set correctly.....
    LVL 8

    Expert Comment

    You said that the relay is through smarthost and you are using websense as your frontend to internet.

    Try to modify your spf record with:

    v=spf1 ip4:<your EXTERNAL subnet range and mask> -all

    where in the <..> you have to put the external ip address range used by your mail servers e.g.

    You colud try to set a unique ip address but, as i can see, it is a cluster so you cannot be sure which node (and which address) will be used.

    LVL 7

    Accepted Solution

    Well, why don't you ask websense aka  They should have an easy to find faq answer or something on their website... hmm... nah not so much.

    You don't need "a" (as it probably points to your website and not properly configured) also you don't need your external hostname as websense should ignore this with SMTP-AUTH or something -- it just hides you better by not publishing your actually server location.  But what do you need...?

    Well, looking quickly and I didn't find anything on websense stupid website, I'd next ask why are you sure you use  and not  or  or presumably any of the others?  Looking through my own logs I find those few domains using tend to stick to g and h but bounce around using a-h (and no domain in the past month I found using mailcontrol have SPF records -- not even

    anyways, next I would look at the SPF record for websense (big) and then mailcontrol and so I would guess:
    "v=spf1 mx -all" currently includes:
    "v=spf1 ip4: ip4: ip4: ip4: ~all"

    but if you did't want to include those large subnets in the main mailcontrol include then you can maybe just just use:

    "v=spf1 mx -all"

    as they created cluster-abcdefghijkl so that it includes cluster-a cluster-b etc which should correspond to the IP addresses of your smarthost...  You should really just determine what IP addresses you are really using and the IP addresses should be found somewhere in the bounced messages.

    Author Closing Comment

    Thanks for the detailed reply tymes. I actually got this working with the following spf record:

    v=spf1 mx a:[external hostname for my domain] ~all

    Not sure whether or not I need my domain in there but it is working so i am going to leave it..... :)


    LVL 7

    Expert Comment

    Well ~all is not restrictive...  You should try getting -all to work otherwise it doesn't really matter as much... And If you tried -all it should work still work with the expanded definition we found for servers.

    Featured Post

    Courses: Start Training Online With Pros, Today

    Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

    Join & Write a Comment

    This article explains how a domain name may be inadvertently appended to all DNS queries. This exhibits as described below. (CODE)And / Or: (CODE) Cause This issue can occur in either of these two scenarios. EITHER 1. A Primary DNS S…
    If you have a multi-homed DNS setup in windows, you can have issues with connectivity to the server that hosts the DNS services (or even member servers of your domain if this same DNS server is a DC). This is because windows registers all of its IPs…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now