[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Numerous Domains failing Sender ID verification after holiday break

Posted on 2009-12-28
Medium Priority
Last Modified: 2012-05-08
I am flabbergasted to say the least. I came back to work today after the Christmas break, and every one of my clients that have an SPF record are having problems sending e-mail to domains that use Postini (they use Sender ID filtering), and any domain that has Sender ID filtering enabled.
I thought maybe a user might have messed with the server until i was told ALL my clients are having the same problem. I went through each one of them, one by one, and verified all SPF records were correct, and passed validation (i use http://www.kitterman.com/spf/validate.html ). I made sure everyone had the same IP and didn't start using smart-hosts. I checked each domain from here ( http://old.openspf.org/why.html ) and ALL passed.
Every domain having the problem has had their SPF record in place for over a year, with no issues. I have checked MXToolbox to see if anyone was on a blacklist, and all were clean.
Was there an update that i'm un-aware of? I need this resolved ASAP, and i have no idea what the problem could be.

Note: Every domain i manage is a Windows network using Exchange, not that it matters.
Question by:mhdcommunications
  • 4
  • 3
LVL 65

Expert Comment

ID: 26133882
You haven't said which version of Exchange that you are using, but Microsoft updates are on a schedule, not random. If this is only happening where Postini is involved, then it would tend to point to a problem with Postini.

Unless you can get someone at Postini to acknowledge the problem, the only way to resolve it would be to remove the SPF records, but that will take 48 hours to take full effect.


Author Comment

ID: 26133973
The version of Exchange doesn't matter, but i have tested Exchange 2000-2007, SBS, Std + Ent. I have approx 32 clients that ALL have SPF records. I cannot send e-mail from one client to another, e-mail gets rejected due to SPF failure. Outside senders cannot send e-mail to my clients, and get the same result (ONLY if they have an SPF record - valid or not). Postini's service allows you to enable Sender ID filtering (SPF), but it's not a service wide setting. The end-user must enable this during the initial setup. I'm not sure about other administrators, but i have enabled this on ALL my clients using Postini (why not let Postini check for you).

It's almost like SPF is broken....


Author Comment

ID: 26133996
I forgot to mention, the only reason the e-mails are 'rejected' is because of the Sender ID setting (Accept, Delete, Reject). I have disabled Sender ID on all clients to keep from having good e-mail dumped into Junk Mail ('Accept' will do this).
My main question, which i should have worded correctly, is why are the SPF check's failing when every validation tool i can find says it's configured correctly?
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

LVL 65

Expert Comment

ID: 26134559
It isn't clear from your postings whether this is inbound or outbound and whether bypassing Postini's service makes any difference.

SPF records are not used wide enough to be able to use them for anything more than scoring. You cannot hard fail on SPF records unless you want to drop large amounts of email.

You need to pin it down to whether the source of the problem is Postini or not.

SPF isn't a service, it is a DNS record, but requires support of the receiving system to check.

While it is a public holiday today in large parts of the world, I haven't heard of this anywhere else. Even taking in to account public holidays and the fact that many people are still away from the office, if there was a more wide spread problem it should be known.


Author Comment

ID: 26298106
The SPF issue is inbound and outbound. I was using Postini as a reference. I know SPF is a DNS record, and not a service.

I will try to explain the 'problem' again.

My experience is with Microsoft Exchange ONLY, and whatever Postini uses (please dont get stuck on Postini as being a possible problem, because it's not).

Let's say my Exchange servers' Sender ID setting (Exchange 2003 or 2007, doesnt matter) is set to reject e-mails that fail the Sender ID check. EVERY domain that has an SPF record, valid or not, gets rejected. This is NOT an Exchange issue. I have tested it on 20+ different Exchange servers, and against Postini (who doesnt use Exchange i'm sure). If i set Sender ID to Accept, the e-mails go through without a problem. This does not, however, resolve sending to Postini. Since i have an SPF record, if the recipient's Postini configuration uses the built-in Sender ID, and is set to reject, my e-mails are rejected even with a VALID SPF record.
I have an e-mail admin friend at a major hospital here in Tampa that has an SPF record (yes, it's valid), and when sending to any of my 20+ domains (with Sender ID set to reject) the e-mails are rejected. The same when sending to him from any of the 20+ domains (after he adjusts his Sender ID settings to reject) it gets rejected.

I don't expect to get an answer on this question. I have even called Microsoft, and they advised me that it's a problem on the recipients server (not likely with the amount of different servers/OS's/domains/Configureations i have tested). I have asked every professional i know, even a professor friend at ITT, and no one has an answer for me.
LVL 65

Accepted Solution

Mestha earned 500 total points
ID: 26298727
Nothing has changed with regards to this functionality.

If it isn't working for you, then turn the feature off. I find it makes zero difference on the level of spam and SPF/Sender ID is not something I deploy for any client at all.

LVL 74

Assisted Solution

by:Glen Knight
Glen Knight earned 500 total points
ID: 26301805
This all looks very confusing.

Let me try and help.

If your mail is forwarding to Postini for relaying then being rejected by someone elses mail system then the problem lies with Postini.
If you have an SPF record configured for your domain which includes an A record that points to your mail servers IP address this will be different from the IP address that Postini use to send your mail out so the SPF will be configured incorrectly.

If your using Postini then you don't need to have an SPF record and it's more likely to be rejected because it is not configured correctly so remove it.

With regards to receiving mail, your SPF record is not used at all, any checks you have on your system will be checking THIER SPF record not yours, if they don't have an SPF record and your checking for one then your system will reject it, if they have an SPF record and it's not configured correctly then your system will reject it.

Your mail server does not check YOUR SPF record when other people are sending you mail, it checks for their record.

Let me try and give you an example:

Your MX record points to an A record for mail.yourdomain.com
Your rDNS record points to mail.yourdomain.com
the FQDN associated with your send connector is mail.yourdomain.com
Your SPF record should look something like: "v=spf1 a mx ptr mx:mail.yourdomain.com -all"

If for you are hosting multiple domains then the configuration would stay exactly the same, why? Because your only sending out with one send connector, your IP address is the same.
So for example if you also hosted yourdomain2.com on your mail server then your MX record for yourdomain2.com would point to A record mail.yourdomain.com

If any of these are mismatched than it COULD result in failure, it won't always but it could.

Does that help?

Author Closing Comment

ID: 31670540
This question has been open too long, and no one has any idea what is going on. The problem still continues, so i have stopped using SPF. I know how SPF works, it's just not working the way it should.

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There can be many situations demanding the conversion of Outlook OST files to PST format and as such, there is no shortage of automated tools to perform this conversion. However, what makes Stellar OST to PST converter stand above the rest? Let us e…
This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question