Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Errors Dealing with SPF Records

Posted on 2011-10-16
Medium Priority
Last Modified: 2012-08-13
We are having issues with some emails not going out.  They're blocked after 1 second or less.  Things had been working fine before our switch to Comcast Business Class.  We have an Exchange 2003 server on site.  We used AT&T DSL and now Comcast.  We have a new static IP from Comcast.  This happened about a month ago.  Just after the change, I changed the MX record by the DNS hosting company to reflect the new static IP address of the local router. Also in the middle is Postini, which we use to filter inbound mail. We had Postini prior to and after the switch to Comcast.

Email seemed to work well until we started seeing NDRs with specific hosts.

Here is a copy of the most recent NDR.  The recipient's name and domain have been changed to XXX and YYY:


Reporting-MTA: dns; qmta01.westchester.pa.mail.comcast.net []
Received-From-MTA: dns; omta06.westchester.pa.mail.comcast.net []
Arrival-Date: Fri, 14 Oct 2011 20:01:58 +0000

Final-recipient: rfc822; xxxxx@yyy.com
Action: failed
Status: 5.1.1
Diagnostic-Code: smtp;  550 5.7.1 SPF unauthorized mail is prohibited.
Last-attempt-Date: Fri, 14 Oct 2011 20:01:59 +0000


Any help on diagnosing this is greatly appreciated.


Question by:tedwill
  • 4
  • 2
LVL 21

Expert Comment

ID: 36976939
You need to create an SPF TXT record for yyy.com to say which IP's are allowed to send mail for your domain.

Example syntax where is the sending IP of your mail server:
"v=spf1 ip4: -all"

Open in new window

LVL 21

Expert Comment

ID: 36976942
Woops typo'd the first answer -- ignore the yyy.com part -- you need an SPF record for your domain.
LVL 21

Expert Comment

ID: 36976947
Wherever you changed the MX record at your hosting company is where you will need to add the new TXT record.  TXT is a record type like MX, and needs to be setup for each domain that you want to send mail from.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.


Author Comment

ID: 36977150
It's interesting, there's currently an address there that I didn't add - ("v=spf1 a ip4: include:g35.spf.mxservers.net -all")

Not sure where that came from.  But it's obviously not our IP address.  The server itself has a non routable IP address.  Should I use the router address for the SPF record?  Also, will this change take as long as other MX record changes?
LVL 21

Accepted Solution

Papertrip earned 2000 total points
ID: 36977160
If you do not recognize either that IP or the include for mxservers.net, then delete them both.

If your mail is coming out the same IP as the WAN side of your router, then yes use that IP.

Once the record has been changed, the maximum wait time for propagation is whatever the TTL value is for that record.  Caching resolvers that do not have your current record cached will see the new record immediately.

Author Closing Comment

ID: 36977205

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to effectively resolve the number one email related issue received by helpdesks.
If you have come across a situation where you need to find some EDB mailbox recovery techniques, then here you will find the same. In this article, we will take you through three techniques using which you will be able to perform EDB recovery. You …
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Suggested Courses

579 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question