Errors Dealing with SPF Records

Posted on 2011-10-16
Last Modified: 2012-08-13
We are having issues with some emails not going out.  They're blocked after 1 second or less.  Things had been working fine before our switch to Comcast Business Class.  We have an Exchange 2003 server on site.  We used AT&T DSL and now Comcast.  We have a new static IP from Comcast.  This happened about a month ago.  Just after the change, I changed the MX record by the DNS hosting company to reflect the new static IP address of the local router. Also in the middle is Postini, which we use to filter inbound mail. We had Postini prior to and after the switch to Comcast.

Email seemed to work well until we started seeing NDRs with specific hosts.

Here is a copy of the most recent NDR.  The recipient's name and domain have been changed to XXX and YYY:


Reporting-MTA: dns; []
Received-From-MTA: dns; []
Arrival-Date: Fri, 14 Oct 2011 20:01:58 +0000

Final-recipient: rfc822;
Action: failed
Status: 5.1.1
Diagnostic-Code: smtp;  550 5.7.1 SPF unauthorized mail is prohibited.
Last-attempt-Date: Fri, 14 Oct 2011 20:01:59 +0000


Any help on diagnosing this is greatly appreciated.


Question by:tedwill
    LVL 21

    Expert Comment

    You need to create an SPF TXT record for to say which IP's are allowed to send mail for your domain.

    Example syntax where is the sending IP of your mail server:
    "v=spf1 ip4: -all"

    Open in new window

    LVL 21

    Expert Comment

    Woops typo'd the first answer -- ignore the part -- you need an SPF record for your domain.
    LVL 21

    Expert Comment

    Wherever you changed the MX record at your hosting company is where you will need to add the new TXT record.  TXT is a record type like MX, and needs to be setup for each domain that you want to send mail from.

    Author Comment

    It's interesting, there's currently an address there that I didn't add - ("v=spf1 a ip4: -all")

    Not sure where that came from.  But it's obviously not our IP address.  The server itself has a non routable IP address.  Should I use the router address for the SPF record?  Also, will this change take as long as other MX record changes?
    LVL 21

    Accepted Solution

    If you do not recognize either that IP or the include for, then delete them both.

    If your mail is coming out the same IP as the WAN side of your router, then yes use that IP.

    Once the record has been changed, the maximum wait time for propagation is whatever the TTL value is for that record.  Caching resolvers that do not have your current record cached will see the new record immediately.

    Author Closing Comment


    Featured Post

    Are your corporate email signatures appalling?

    Is it scary how unprofessional your email signatures look? Do users create their own terrible designs and give themselves stupid job titles? You can make this a lot easier for yourself by choosing an email signature management solution from Exclaimer today.

    Join & Write a Comment

    We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
    The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
    This video discusses moving either the default database or any database to a new volume.

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now