SPF Problem

anordquist
anordquist used Ask the Experts™
on
Sometime ago, I setup an SPF record in DNS.  I've got a single email server, so defined my SPF record as

 v=spf1 ip4:216.14.181.89 -all  

and everything seemed to work ok.  However, in the last week or so, I've been told that we can no longer send email to two different domains.  When I checked my SPF setup using the tool at http://www.kitterman.com/getspf2.py, it said,
==============================
SPF records are primarily published in DNS as TXT records. The TXT records found for your domain are:

v=spf1 ip4:216.14.181.89 -all


SPF records should also be published in DNS as type SPF records. This is new and most implementations do not support it yet.
No type SPF records found.

Checking to see if there is a valid SPF record.

Found v=spf1 record for employersinc.com
v=spf1 ip4:216.14.181.89 -all

evaluating...
SPF record passed validation test with pySPF (Python SPF library)!

 ======================================


But, after hearing about the NDR problems, I looked for more ways to test my SPF setup.  The website http://www.openspf.org showed a problem

=======================================

An SPF-enabled mail server rejected a message that claimed an envelope sender address of alann@employersinc.com.
An SPF-enabled mail server received a message from email.employersinc.com (216.14.181.89) that claimed an envelope sender address of alann@employersinc.com.

The domain employersinc.com has authorized email.employersinc.com (216.14.181.89) to send mail on its behalf, so the message should have been accepted. It is impossible for us to say why it was rejected.

===================================

I don't know where to start looking for a problem.  I'm using Cisco gear on my network.  Most internal addresses are nat'd, but the email server has a static address.  All of my incoming mail goes to Postini for spam/virus filtering and all of my outgoing mail comes directly from my server.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Please have a read of my FAQ regarding problems sending mail out to one or more domains:
http://www.it-eye.co.uk/faqs/readQuestion.php?qid=2
If your SPF record matches your IP Address and is correct, which it seems to be, then something else is probably at fault.

Author

Commented:
The domain doesn't appear to be on any blacklists, and the SPF record matches the mail server's IP address.
PowerShell Developer
Top Expert 2010
Commented:

You've checked the usual? Your PTR record and all that?

I can't see why your SPF record would cause failure, it's lovely and simple.

Chris
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

Author

Commented:
Yes, everything looks ok.  The DNS listing for the email server has been out there forever, and the SPF record was put in about 6 months ago.
Chris DentPowerShell Developer
Top Expert 2010

Commented:

The reject notification you pasted above, that came from the openspf.org mail test?

You mentioned NDRs, is that the above? Or is that in addition to what we have above?

Chris

Author

Commented:
The NDRs are coming from the two different domains, not from the mail testing.
Chris DentPowerShell Developer
Top Expert 2010

Commented:

What reason do they quote for the reject? It's moderately unusual for SPF failure to return an NDR, makes sense when you consider what it's protecting against.

Chris

Author

Commented:
Here's one of them:

      abc@xyz.edu on 1/20/2010 11:10 AM
            You do not have permission to send to this recipient.  For assistance, contact your system administrator.
            <email.employersinc.com #5.7.1 smtp;554 5.7.1 <abc@xyz.edu>: Relay access denied>


and here's the other

            There was a SMTP communication problem with the recipient's email server.  Please contact your system administrator.

            <email.employersinc.com #5.5.0 smtp;550-email.employersinc.com [216.14.181.89] is currently not permitted to relay>
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Sounds like they are rejecting you incorrectly.

Have you tried using telnet to manually test mail flow.  You might see a better response for the rejection?

Telnet 123.123.123.123 25
ehlo yourdomain.com
mail from:
rcpt to:

quit
Chris DentPowerShell Developer
Top Expert 2010

Commented:

Test with Telnet and see if it repeats the error? You'll have to do that from your mail server of course, but both appear to be dropping you immediately after RCPT TO.

Personally, I would be pretty inclined to blame that on the recipients system. If your configuration checks, and from what you've posted and said it does it can't really be your problem.

Chris
Chris DentPowerShell Developer
Top Expert 2010

Commented:

Nice, matching responses :)

Chris
Alan HardistyCo-Owner
Top Expert 2011

Commented:
It is always good to have your ideas backed up by others who suggest the same.  Great mind's think alike ;-)

Author

Commented:
I looked up the MX records for the two domains and found this

domain #1
alt1.aspmx.l.google.com
aspmx5.googlemail.com
alt2.aspmx.l.google.com
aspmx.l.google.com
aspmx3.googlemail.com
aspmx4.googlemail.com

domain #2
alt2.aspmx.l.google.com
aspmx2.googlemail.com
aspmx3.googlemail.com
aspmx4.googlemail.com
aspmx5.googlemail.com
aspmx.l.google.com
alt1.aspmx1.google.com

When I telnetted to either alt1.aspmx.l.google.com or aspmx5.googlemail.com, I got this response:

220 ************************************
ehlo employersinc.com
502 5.5.1 Unrecognized command. 4si7282662yxe.65


When I telnetted directly to one of the domains with port 25, I get this response

220 ****************************
ehlo employersinc.com
502 5.5.2 Error: command not recognized
Chris DentPowerShell Developer
Top Expert 2010

Commented:

Google Apps.

Do you have anyone else in the recipient domain that can be used to test?

Otherwise if you have a googlemail account it should go through the same checks there.

Chris
Alan HardistyCo-Owner
Top Expert 2011

Commented:
You have cisco equipment. Have you turned off smtp fixup off?

Author

Commented:
My email sent to mytestaccount@gmail.com is failing.  One of my users just sent me a list of several hundred gmail addresses, all failing.

Neither my edge router nor my ASA have smtp fixup mentioned in their configuration.
Alan HardistyCo-Owner
Top Expert 2011

Commented:
So what was the problem?

Author

Commented:
There actually was an issue with blacklists.  My incoming email goes to Postini, so I was checking the Postini servers and my domain against the blacklists.  Those came up clean.
But, my emailserver.mydomain.com did come up on a blacklist.  It took a lot longer to find the problem than it did to resolve it, or for me to get off my lazy butt here and close up this question.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial