• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 946
  • Last Modified:

Errors Dealing with SPF Records

We are having issues with some emails not going out.  They're blocked after 1 second or less.  Things had been working fine before our switch to Comcast Business Class.  We have an Exchange 2003 server on site.  We used AT&T DSL and now Comcast.  We have a new static IP from Comcast.  This happened about a month ago.  Just after the change, I changed the MX record by the DNS hosting company to reflect the new static IP address of the local router. Also in the middle is Postini, which we use to filter inbound mail. We had Postini prior to and after the switch to Comcast.

Email seemed to work well until we started seeing NDRs with specific hosts.

Here is a copy of the most recent NDR.  The recipient's name and domain have been changed to XXX and YYY:

--------------------------------------------------

Reporting-MTA: dns; qmta01.westchester.pa.mail.comcast.net [76.96.62.24]
Received-From-MTA: dns; omta06.westchester.pa.mail.comcast.net [76.96.62.51]
Arrival-Date: Fri, 14 Oct 2011 20:01:58 +0000


Final-recipient: rfc822; xxxxx@yyy.com
Action: failed
Status: 5.1.1
Diagnostic-Code: smtp;  550 5.7.1 SPF unauthorized mail is prohibited.
Last-attempt-Date: Fri, 14 Oct 2011 20:01:59 +0000

--------------------------------------------------

Any help on diagnosing this is greatly appreciated.

Thanks,

Ted
0
tedwill
Asked:
tedwill
  • 4
  • 2
1 Solution
 
PapertripCommented:
You need to create an SPF TXT record for yyy.com to say which IP's are allowed to send mail for your domain.

Example syntax where 1.2.3.4 is the sending IP of your mail server:
"v=spf1 ip4:1.2.3.4 -all"

Open in new window

0
 
PapertripCommented:
Woops typo'd the first answer -- ignore the yyy.com part -- you need an SPF record for your domain.
0
 
PapertripCommented:
Wherever you changed the MX record at your hosting company is where you will need to add the new TXT record.  TXT is a record type like MX, and needs to be setup for each domain that you want to send mail from.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
tedwillAuthor Commented:
It's interesting, there's currently an address there that I didn't add - ("v=spf1 a ip4:198.66.164.83 include:g35.spf.mxservers.net -all")

Not sure where that came from.  But it's obviously not our IP address.  The server itself has a non routable IP address.  Should I use the router address for the SPF record?  Also, will this change take as long as other MX record changes?
0
 
PapertripCommented:
If you do not recognize either that IP or the include for mxservers.net, then delete them both.

If your mail is coming out the same IP as the WAN side of your router, then yes use that IP.

Once the record has been changed, the maximum wait time for propagation is whatever the TTL value is for that record.  Caching resolvers that do not have your current record cached will see the new record immediately.
0
 
tedwillAuthor Commented:
Thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now