anordquist
asked on
SPF Problem
Sometime ago, I setup an SPF record in DNS. I've got a single email server, so defined my SPF record as
v=spf1 ip4:216.14.181.89 -all
and everything seemed to work ok. However, in the last week or so, I've been told that we can no longer send email to two different domains. When I checked my SPF setup using the tool at http://www.kitterman.com/getspf2.py, it said,
==========================
SPF records are primarily published in DNS as TXT records. The TXT records found for your domain are:
v=spf1 ip4:216.14.181.89 -all
SPF records should also be published in DNS as type SPF records. This is new and most implementations do not support it yet.
No type SPF records found.
Checking to see if there is a valid SPF record.
Found v=spf1 record for employersinc.com
v=spf1 ip4:216.14.181.89 -all
evaluating...
SPF record passed validation test with pySPF (Python SPF library)!
==========================
But, after hearing about the NDR problems, I looked for more ways to test my SPF setup. The website http://www.openspf.org showed a problem
==========================
An SPF-enabled mail server rejected a message that claimed an envelope sender address of alann@employersinc.com.
An SPF-enabled mail server received a message from email.employersinc.com (216.14.181.89) that claimed an envelope sender address of alann@employersinc.com.
The domain employersinc.com has authorized email.employersinc.com (216.14.181.89) to send mail on its behalf, so the message should have been accepted. It is impossible for us to say why it was rejected.
==========================
I don't know where to start looking for a problem. I'm using Cisco gear on my network. Most internal addresses are nat'd, but the email server has a static address. All of my incoming mail goes to Postini for spam/virus filtering and all of my outgoing mail comes directly from my server.
v=spf1 ip4:216.14.181.89 -all
and everything seemed to work ok. However, in the last week or so, I've been told that we can no longer send email to two different domains. When I checked my SPF setup using the tool at http://www.kitterman.com/getspf2.py, it said,
==========================
SPF records are primarily published in DNS as TXT records. The TXT records found for your domain are:
v=spf1 ip4:216.14.181.89 -all
SPF records should also be published in DNS as type SPF records. This is new and most implementations do not support it yet.
No type SPF records found.
Checking to see if there is a valid SPF record.
Found v=spf1 record for employersinc.com
v=spf1 ip4:216.14.181.89 -all
evaluating...
SPF record passed validation test with pySPF (Python SPF library)!
==========================
But, after hearing about the NDR problems, I looked for more ways to test my SPF setup. The website http://www.openspf.org showed a problem
==========================
An SPF-enabled mail server rejected a message that claimed an envelope sender address of alann@employersinc.com.
An SPF-enabled mail server received a message from email.employersinc.com (216.14.181.89) that claimed an envelope sender address of alann@employersinc.com.
The domain employersinc.com has authorized email.employersinc.com (216.14.181.89) to send mail on its behalf, so the message should have been accepted. It is impossible for us to say why it was rejected.
==========================
I don't know where to start looking for a problem. I'm using Cisco gear on my network. Most internal addresses are nat'd, but the email server has a static address. All of my incoming mail goes to Postini for spam/virus filtering and all of my outgoing mail comes directly from my server.
ASKER
The domain doesn't appear to be on any blacklists, and the SPF record matches the mail server's IP address.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes, everything looks ok. The DNS listing for the email server has been out there forever, and the SPF record was put in about 6 months ago.
The reject notification you pasted above, that came from the openspf.org mail test?
You mentioned NDRs, is that the above? Or is that in addition to what we have above?
Chris
ASKER
The NDRs are coming from the two different domains, not from the mail testing.
What reason do they quote for the reject? It's moderately unusual for SPF failure to return an NDR, makes sense when you consider what it's protecting against.
Chris
ASKER
Here's one of them:
abc@xyz.edu on 1/20/2010 11:10 AM
You do not have permission to send to this recipient. For assistance, contact your system administrator.
<email.employersinc.com #5.7.1 smtp;554 5.7.1 <abc@xyz.edu>: Relay access denied>
and here's the other
There was a SMTP communication problem with the recipient's email server. Please contact your system administrator.
<email.employersinc.com #5.5.0 smtp;550-email.employersin
abc@xyz.edu on 1/20/2010 11:10 AM
You do not have permission to send to this recipient. For assistance, contact your system administrator.
<email.employersinc.com #5.7.1 smtp;554 5.7.1 <abc@xyz.edu>: Relay access denied>
and here's the other
There was a SMTP communication problem with the recipient's email server. Please contact your system administrator.
<email.employersinc.com #5.5.0 smtp;550-email.employersin
Sounds like they are rejecting you incorrectly.
Have you tried using telnet to manually test mail flow. You might see a better response for the rejection?
Telnet 123.123.123.123 25
ehlo yourdomain.com
mail from:
rcpt to:
quit
Have you tried using telnet to manually test mail flow. You might see a better response for the rejection?
Telnet 123.123.123.123 25
ehlo yourdomain.com
mail from:
rcpt to:
quit
Test with Telnet and see if it repeats the error? You'll have to do that from your mail server of course, but both appear to be dropping you immediately after RCPT TO.
Personally, I would be pretty inclined to blame that on the recipients system. If your configuration checks, and from what you've posted and said it does it can't really be your problem.
Chris
Nice, matching responses :)
Chris
It is always good to have your ideas backed up by others who suggest the same. Great mind's think alike ;-)
ASKER
I looked up the MX records for the two domains and found this
domain #1
alt1.aspmx.l.google.com
aspmx5.googlemail.com
alt2.aspmx.l.google.com
aspmx.l.google.com
aspmx3.googlemail.com
aspmx4.googlemail.com
domain #2
alt2.aspmx.l.google.com
aspmx2.googlemail.com
aspmx3.googlemail.com
aspmx4.googlemail.com
aspmx5.googlemail.com
aspmx.l.google.com
alt1.aspmx1.google.com
When I telnetted to either alt1.aspmx.l.google.com or aspmx5.googlemail.com, I got this response:
220 **************************
ehlo employersinc.com
502 5.5.1 Unrecognized command. 4si7282662yxe.65
When I telnetted directly to one of the domains with port 25, I get this response
220 **************************
ehlo employersinc.com
502 5.5.2 Error: command not recognized
domain #1
alt1.aspmx.l.google.com
aspmx5.googlemail.com
alt2.aspmx.l.google.com
aspmx.l.google.com
aspmx3.googlemail.com
aspmx4.googlemail.com
domain #2
alt2.aspmx.l.google.com
aspmx2.googlemail.com
aspmx3.googlemail.com
aspmx4.googlemail.com
aspmx5.googlemail.com
aspmx.l.google.com
alt1.aspmx1.google.com
When I telnetted to either alt1.aspmx.l.google.com or aspmx5.googlemail.com, I got this response:
220 **************************
ehlo employersinc.com
502 5.5.1 Unrecognized command. 4si7282662yxe.65
When I telnetted directly to one of the domains with port 25, I get this response
220 **************************
ehlo employersinc.com
502 5.5.2 Error: command not recognized
Google Apps.
Do you have anyone else in the recipient domain that can be used to test?
Otherwise if you have a googlemail account it should go through the same checks there.
Chris
You have cisco equipment. Have you turned off smtp fixup off?
ASKER
My email sent to mytestaccount@gmail.com is failing. One of my users just sent me a list of several hundred gmail addresses, all failing.
Neither my edge router nor my ASA have smtp fixup mentioned in their configuration.
Neither my edge router nor my ASA have smtp fixup mentioned in their configuration.
So what was the problem?
ASKER
There actually was an issue with blacklists. My incoming email goes to Postini, so I was checking the Postini servers and my domain against the blacklists. Those came up clean.
But, my emailserver.mydomain.com did come up on a blacklist. It took a lot longer to find the problem than it did to resolve it, or for me to get off my lazy butt here and close up this question.
But, my emailserver.mydomain.com did come up on a blacklist. It took a lot longer to find the problem than it did to resolve it, or for me to get off my lazy butt here and close up this question.
http://www.it-eye.co.uk/faqs/readQuestion.php?qid=2
If your SPF record matches your IP Address and is correct, which it seems to be, then something else is probably at fault.