SPF Records, GoDaddy, Exchange, incoming rejected?


I have two different domains with GoDaddy.com.

1. Domain1 exists only on GoDaddy with their MX record, nothing has been changed on this account in years.

2. Domain2's DNS Zone file is with GoDaddy and had their MX record until recently.  I have modified the MX record to point to my in-house Exchange server.  My Exchange server receives the incoming email and looks for a box.  If no box exists it sends it to GoDaddy to find a box there.

Up until 3/6 all emails for both domains were working fine.  On 3/9 I found out a few emails that were sent to Domain1.com were rejected due to SPF Record Unauthorized.  Same company that has been sending me emails without issue and all of a sudden cannot send me emails.

Around the same time I started moving Domain2.com over to Exchange and changing the MX record to point to me directly.

On that domain I have multiple complaints from companies indiicating their emails are bouncing with the same error.  However; I do not believe they are bouncing if a box exists on the Exchange server (I will have to double check that).


Therefore, my questions are:

1. Why the sudden rejection, especially on a domain that hasn't changed?
2. Are the email headers for incoming email being modified when it passes through my Exchange server (for Domain2) and therefore being rejected by GoDaddy when my Exchange server passes it onto GoDaddy?

If you think number 2 is true then why does it only reject a few?

Thank you for your time and help.
Adam DIT Solutions DeveloperAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Godaddy checks incoming mail using SPF records - i.e. they check if server that sends mail is authorized to do so and the incoming mail is not spoofed.
To the best of my knowledge it is a global setting, enabled for all Godaddy customers and it can't be disabled by customer account or domain.

It looks like that the problem with domain1 lays on the sender side. The owner of the domain1 either recently published incorrect SPF records or  made changes to the sending servers (for example add a server or change existing server IP) without updating SPF records.  From my experience,  it happens quite often as usually different people responsible for mail server and for the DNS records
On the Domain2 the change you made caused the problem.
Before the change all the companies with published SPF records were successfully sending mail, because mail was passing SPF validation by Godaddy.

What happens now is the mail from these companies goes to your Exchange server (where you don't care about SPF), then some mail for users that are not present on Exchange is going to Godaddy.  
So from Godaddy prospective it looks like your server is sending mail to Godaddy on behalf of all these companies.
Since your server is not listed in SPF records for all these companies as authorized server, Godaddy bounces these mails as spoofed!

I would try to setup the other way where mail shall go to Goddady first and then, if recipient mail box is not present, let Godaddy send mail to your Exchange server
Adam DIT Solutions DeveloperAuthor Commented:
Thanks for your reply and information.

I had thought about that problem with Exchange being the "middleman."  Unfortunately I cannot setup GoDaddy to redirect if no box is found and this will be moot soon; but I would like to know how I can pass along the headers to GoDaddy when coming from Exchange so I can avoid this issue.

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

The passing of the headers - even if possible - is not going to help.
Goddady is looking for an IP of connecting server (your Exchange server) and matching it against SPF records published in DNS

I would try to contact Godaddy support to see if they have an option to disable SPF check for a domain or an account. It was not an option in the past, but things might have changed...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Adam DIT Solutions DeveloperAuthor Commented:
No, already checked. Global only...

No other solution?
Sorry, I can't think of any other practical solutions :(
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.