Solved

SPF record problem

Posted on 2009-07-13
8
3,045 Views
Last Modified: 2012-08-14
I have a person trying to send mail to us and it is getting bounced back to him. I checked my logs and it looks to me like he is failing on the sender ID. I have Exchange 2007 set to reject on all that dont pass. (This may or may not be the best idea, but we are sick of spoofed mail) Look in code area for what was sent back to him. Below that, I included what my Sender ID filter had to say about his message.
I told him that I thought the problem was that he does not have his SPF record setup correctly. His IT person came back and told me the problem is at my end and not his. I will accept that it is at my end, in that I am rejecting messages that fail, but he has a problem that is making them fail. If I do a text record check on mail.oklahomarespiratory.com, no SPF record shows up, but if I do a text record check on just the domain name oklahomarespiratory.com, I get the following SPF record. "v=spf1 mx -all"
My understanding of SPF is not as good as I would like it to be, so could someone help me with this. Is his record setup correctly?
His NDR
----------------------------------------------------------------------------------------------------------
Failed Recipient: joeBlo@voyagerhospicecare.com
Reason: Remote host said: 550 5.7.1 Sender ID (PRA) Not Permitted
 
-- The header and top 20 lines of the message follows --
 
Received: from wsip-70-164-64-78.ok.ok.cox.net [70.164.64.78] by mail.uniformmarket.com with SMTP;
Mon, 13 Jul 2009 13:29:01 -0400
From: "Jeff Fannon" 
To: "'JoeBlo'" 
References: <1A9B1259E2DF8541923432089271442681A65CC5BE@vml.vhc.lan>
In-Reply-To: <1A9B1259E2DF8541923432089271442681A65CC5BE@vml.vhc.lan>
Subject: RE: test email from American Hospice, Inc.
Date: Mon, 13 Jul 2009 12:31:06 -0500
Message-ID: <002401ca03df$b46ca5d0$1d45f170$@com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0025_01CA03B5.CB969DD0"
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcoD3necTVQjh3C4QT6RLuIbiWnOggAAPx1w
Content-Language: en-us
 
This is a multi-part message in MIME format.
 
------=_NextPart_000_0025_01CA03B5.CB969DD0
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: 7bit
-------------------------------------------------------------------------------------------------------
My sender ID log
 
Timestamp       : 7/13/2009 12:31:08 PM
SessionId       : 08CBCC3530F0AC66
IPAddress       : 66.230.202.168
MessageId       :
P1FromAddress   : jeff@oklahomarespiratory.com
P2FromAddresses : {jeff@oklahomarespiratory.com}
Recipients      : {joeblo@voyagerhospicecare.com}
Agent           : Sender Id Agent
Event           : OnEndOfHeaders
Action          : RejectMessage
SmtpResponse    : 550 5.7.1 Sender ID (PRA) Not Permitted
Reason          : Fail_NotPermitted
ReasonData      : jeff@oklahomarespiratory.com
Diagnostics     :
---------------------------------------------------------------------------------------------

Open in new window

0
Comment
Question by:VoyagerHealthCare
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 6

Assisted Solution

by:muzzi_in
muzzi_in earned 100 total points
ID: 24844328
Hey his SPP has setup in wrong way as we are getting output just    "v=spf1 mx -all"

which is supposed to be contain their connecting IP addresses. which is not listed

here is example of Microsoft website SPF

        "v=spf1 mx include:_spf-a.microsoft.com include:_spf-b.microsoft.com inc
lude:_spf-c.microsoft.com include:_spf-ssg-a.microsoft.com ip4:131.107.115.212 i
p4:131.107.115.215 ip4:131.107.115.214 ip4:205.248.106.64 ip4:205.248.106.30 ip4
:205.248.106.32 ~all"
0
 
LVL 6

Expert Comment

by:muzzi_in
ID: 24844363
You can ask that sender domain administrator to have look here by providing all the necessary stuff in the below links, just make sure from his end
http://www.kitterman.com/spf/validate.html
0
 
LVL 26

Accepted Solution

by:
jar3817 earned 200 total points
ID: 24845192
This SPF record "v=spf1 mx -all" is perfectly legal.

It simply means the ONLY server allowed to send for this domain is the same as the MX record, which happens to resolve to 66.230.202.189 and to hard-fail everything else.

According to the log you posted the sending IP address was 66.230.202.168, not 66.230.202.189, so your server rejected. It's not your problem but theirs. They should add their ipv4 space to their SPF record, or make sure all their mail comes from that 66.230.202.189 ip address.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:VoyagerHealthCare
ID: 24846515
The following is what the tech on the other end said. Most of it does not prove his stance from what I can see. Does what he says hold water?

<<From their tech>>>
<begin>
I looked at the information in the header Rick sent me and everything at our end is correct.  The only possible solutions are that we have been blacklisted at the recipients email server or american-hospice.net is behind a forwarding protocol that is hiding the true source of the email (us).
 
If email is successfully reaching email addresses that also do spf checking (aol.com as an example), then it isnt at our end.
 
Finally, nothing has been moved with regard to email.  mail.oklahomarespiratory.com is still aliased to mail.uniformmarket.com and the spf record is correct.
<end>

While AOL may check SPF, that doesn't mean that they reject on a fail condition, IMO.....
0
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 200 total points
ID: 24847389

You're dropping the message based on the rules they have set. The record is entirely legal, however, all that means is that you drop the message because they told you to.

Both IP addresses (the real SMTP server, and the one captured) are owned by the same ISP (Neucom, Inc). "forwarding protocols" cannot be anything to do with you if it's appearing from that source address. It must be the sender or the senders ISP.

I can't connect to an SMTP service on the source IP above, but that only means it doesn't accept inbound connections. There must be an SMTP service there or you couldn't have a conversation with it.

It shouldn't have an impact, but they clearly breach RFC 2181 by using a CNAME record as the target for an MX record.

http://www.ietf.org/rfc/rfc2181.txt (10.3)

We (well, you) should not have to support systems that refuse to obey simple rules.

In short, I consider this to be the senders problem. You cannot control the source of the TCP connection while you're so far away from it.

Chris
0
 

Author Comment

by:VoyagerHealthCare
ID: 24852692
My server shows the sending IP is 66.230.202.168 but mail.oklahomarespiratory.com and mail.uniformmarket.com (The canonical name) ip address is  66.230.202.189.

66.230.202.168 is one of their name servers and its name is ns1.uniformmarket.com   How can this be?

0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24853586

I didn't notice that it was their name server, good catch. That rules out their ISP being responsible.

I would imagine that there's a NAT rule on their firewall, and that either they forgot to add outbound NAT for the mail server, or they have more than one mail server behind there and somehow the sending server differs.

Chris
0
 

Author Closing Comment

by:VoyagerHealthCare
ID: 31603037
Thanks for everyones help. The guy is still saying that it is not his issue. What can you do, but laugh.......  From my side, it is plain as day.
0

Featured Post

How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question