SPF Records, GoDaddy, Exchange, incoming rejected?

Posted on 2012-03-20
Last Modified: 2012-06-21

I have two different domains with

1. Domain1 exists only on GoDaddy with their MX record, nothing has been changed on this account in years.

2. Domain2's DNS Zone file is with GoDaddy and had their MX record until recently.  I have modified the MX record to point to my in-house Exchange server.  My Exchange server receives the incoming email and looks for a box.  If no box exists it sends it to GoDaddy to find a box there.

Up until 3/6 all emails for both domains were working fine.  On 3/9 I found out a few emails that were sent to were rejected due to SPF Record Unauthorized.  Same company that has been sending me emails without issue and all of a sudden cannot send me emails.

Around the same time I started moving over to Exchange and changing the MX record to point to me directly.

On that domain I have multiple complaints from companies indiicating their emails are bouncing with the same error.  However; I do not believe they are bouncing if a box exists on the Exchange server (I will have to double check that).


Therefore, my questions are:

1. Why the sudden rejection, especially on a domain that hasn't changed?
2. Are the email headers for incoming email being modified when it passes through my Exchange server (for Domain2) and therefore being rejected by GoDaddy when my Exchange server passes it onto GoDaddy?

If you think number 2 is true then why does it only reject a few?

Thank you for your time and help.
Question by:Adam D
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
LVL 17

Assisted Solution

fgrushevsky earned 500 total points
ID: 37744712
Godaddy checks incoming mail using SPF records - i.e. they check if server that sends mail is authorized to do so and the incoming mail is not spoofed.
To the best of my knowledge it is a global setting, enabled for all Godaddy customers and it can't be disabled by customer account or domain.

It looks like that the problem with domain1 lays on the sender side. The owner of the domain1 either recently published incorrect SPF records or  made changes to the sending servers (for example add a server or change existing server IP) without updating SPF records.  From my experience,  it happens quite often as usually different people responsible for mail server and for the DNS records
LVL 17

Assisted Solution

fgrushevsky earned 500 total points
ID: 37744743
On the Domain2 the change you made caused the problem.
Before the change all the companies with published SPF records were successfully sending mail, because mail was passing SPF validation by Godaddy.

What happens now is the mail from these companies goes to your Exchange server (where you don't care about SPF), then some mail for users that are not present on Exchange is going to Godaddy.  
So from Godaddy prospective it looks like your server is sending mail to Godaddy on behalf of all these companies.
Since your server is not listed in SPF records for all these companies as authorized server, Godaddy bounces these mails as spoofed!

I would try to setup the other way where mail shall go to Goddady first and then, if recipient mail box is not present, let Godaddy send mail to your Exchange server

Author Comment

by:Adam D
ID: 37750038
Thanks for your reply and information.

I had thought about that problem with Exchange being the "middleman."  Unfortunately I cannot setup GoDaddy to redirect if no box is found and this will be moot soon; but I would like to know how I can pass along the headers to GoDaddy when coming from Exchange so I can avoid this issue.

Increase Agility with Enabled Toolchains

Connect your existing build, deployment, management, monitoring, and collaboration platforms. From Puppet to Chef, HipChat to Slack, ServiceNow to JIRA, Splunk to New Relic and beyond, hand off data between systems to engage the right people.

Connect with xMatters.

LVL 17

Accepted Solution

fgrushevsky earned 500 total points
ID: 37750168
The passing of the headers - even if possible - is not going to help.
Goddady is looking for an IP of connecting server (your Exchange server) and matching it against SPF records published in DNS

I would try to contact Godaddy support to see if they have an option to disable SPF check for a domain or an account. It was not an option in the past, but things might have changed...

Author Comment

by:Adam D
ID: 37750226
No, already checked. Global only...

No other solution?
LVL 17

Expert Comment

ID: 37750283
Sorry, I can't think of any other practical solutions :(

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data‚Ķ
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates‚Ķ

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question