Andrew Lee
asked on
Receiving Ndr from domains using Spf but we have a valid Spf record
Hello
I was getting Ndr's from domains using Spf (by the way we relay through websense) so we have now configured an Spf Dns record to allow mail to be sent from our mail server. This I believe should have fixed the problem and the record is configured as follows:
v=spf1 a mx a:cluster-a.mailcontrol.co m a:[external hostname] -all
but now when I test it from http://www.openspf.org/Why I get the following:
The domain [domain name] has authorized [external hostname] (IP Address) to send mail on its behalf, so the message should have been accepted. It is impossible for us to say why it was rejected.
Can anyone help with this please?
Configuration:
Domain with Windows Server 2003 R2 and Exchange 2007
All mail relayed out through smarthost (problem is only with domains that use Spf checks)
Many Thanks
Liam
I was getting Ndr's from domains using Spf (by the way we relay through websense) so we have now configured an Spf Dns record to allow mail to be sent from our mail server. This I believe should have fixed the problem and the record is configured as follows:
v=spf1 a mx a:cluster-a.mailcontrol.co
but now when I test it from http://www.openspf.org/Why I get the following:
The domain [domain name] has authorized [external hostname] (IP Address) to send mail on its behalf, so the message should have been accepted. It is impossible for us to say why it was rejected.
Can anyone help with this please?
Configuration:
Domain with Windows Server 2003 R2 and Exchange 2007
All mail relayed out through smarthost (problem is only with domains that use Spf checks)
Many Thanks
Liam
ASKER
Yes, reverse dns is set correctly.....
You said that the relay is through smarthost and you are using websense as your frontend to internet.
Try to modify your spf record with:
v=spf1 ip4:<your EXTERNAL subnet range and mask> -all
where in the <..> you have to put the external ip address range used by your mail servers e.g. 150.40.20.16/30
You colud try to set a unique ip address but, as i can see, it is a cluster so you cannot be sure which node (and which address) will be used.
Try to modify your spf record with:
v=spf1 ip4:<your EXTERNAL subnet range and mask> -all
where in the <..> you have to put the external ip address range used by your mail servers e.g. 150.40.20.16/30
You colud try to set a unique ip address but, as i can see, it is a cluster so you cannot be sure which node (and which address) will be used.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the detailed reply tymes. I actually got this working with the following spf record:
v=spf1 mx include:mailcontrol.com a:[external hostname for my domain] ~all
Not sure whether or not I need my domain in there but it is working so i am going to leave it..... :)
Thanks
Liam
v=spf1 mx include:mailcontrol.com a:[external hostname for my domain] ~all
Not sure whether or not I need my domain in there but it is working so i am going to leave it..... :)
Thanks
Liam
Well ~all is not restrictive... You should try getting -all to work otherwise it doesn't really matter as much... And If you tried -all it should work still work with the expanded definition we found for mailcontrol.com servers.
Go to dnsstuff.com and make some tests