Solved

Outgoing mail and SPF/PTR

Posted on 2011-09-27
5
798 Views
Last Modified: 2012-05-22
Greetings,

I've been having a recent issue of MAILSPIKE and blacklisting site listing my domain as unsafe, preventing emails from being received by MAILSPIKE users.  Unfortunately, MAILSPIKE is supremely pathetic at providing any information (threat reasoning or contact).  Thus, I'm investigating my network to identify what could be going on.  I have relaying disabled and have examined my logs exhaustively.  I'm looking to implement an SPF record within my DNS, but I suspect limited return on that.  However, I've read nothing to suggest that it could hurt.  However, I have come across an issue that made me need to whip up this inquiry.  Currently, Mailspike is flagging IP address x.x.x.a (my router's WAN IP), while my mail server has x.x.x.b associated with it and the MX record (obviously), which is then NATed to it's private IP.  So, upon setting up a SPF, while I could do similar to the following <domain.com TXT "v=spf1 mx -all">, would that even matter in this case, as the flagged IP is x.x.x.a, not x.x.x.b?  Also, while troubleshooting, it was also suggested that my PTR is incorrect.  However, per http://www.uceprotect.net/en/rblcheck.php, it comes back as correct.  Needless to say, Mailspike and Uceprotect are irritating me, but as a responsible net admin, I do want to resolve the matter.  Would appreciate any pertinent input.  Thanks.  Jer
0
Comment
Question by:Jer
  • 2
  • 2
5 Comments
 
LVL 21

Expert Comment

by:Papertrip
ID: 36713228
If you could provide the hostname and/or IP of your sending servers, I can tell you exactly how it all should be done, and the best way to do it.

SPF record needs to be your sending server(s) IP(s), and on that note, blacklists only affect the sending IP(s) as well.

I'm currently working on another SPF issue at http://www.experts-exchange.com/Networking/Protocols/DNS/Q_27344632.html
0
 
LVL 3

Author Comment

by:Jer
ID: 36717538
Papertrip, thanks for the response.  Looked at your other ticket, which seems to be the same issue.  I'm just wondering if I'm supposed to be doing a different config (such as static 1-to-1) for my outgoing mail.  As the IP for WAN port on my central firewall is the route (and address) for all outgoing traffic (SMTP, FTP, HTTP, etc), do I simply create a request (SPF record) for that address x.x.x.a?

Also, when I did discuss creating the record with my ISP who hosts my DNS records, I got a blank stare.  They didn't know what I was talking about.  Does the SPF record get applied elsewhere?

Thanks,

Jer  
0
 
LVL 21

Accepted Solution

by:
Papertrip earned 500 total points
ID: 36718867
If I'm understanding your question and reply correctly, you actually are in a good position right now to do this the "right way".

Set your firewall up so that all outgoing traffic from your mail server goes over x.x.x.b
Create PTR for x.x.x.b that matches the A record of your mail server
Create SPF record with x.x.x.b

Done!

It might help you to wrap your head around all of this stuff if you separate incoming and outgoing mail.  Your MX record has nothing to do with sending mail, only receiving.  Sometimes people get confused when they think that MX and SPF have to match up and things like that.
0
 
LVL 3

Author Closing Comment

by:Jer
ID: 36980671
Thanks for the help.  Sorry for the delay in responding.  Been hectic here.
0
 

Expert Comment

by:sbenhamou
ID: 37996670
Hi

I've done the exact same procedure when changing my ISP, and I'm still in the mailspike blacklist. Since we can't contact them, and since I'm blacklisted each time I change the outgoing IP address, does anyone have an idea how to fix my issue ?
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Exchange 2007 not reaching Rackspace servers 7 29
Exchange 2013 not searching 9 37
.cer Exchange Certificate 2013 issue. 2 27
Public DNS? 10 51
Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
This video discusses moving either the default database or any database to a new volume.

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now