SPF Records, GoDaddy, Exchange, incoming rejected?

Posted on 2012-03-20
Last Modified: 2012-06-21

I have two different domains with

1. Domain1 exists only on GoDaddy with their MX record, nothing has been changed on this account in years.

2. Domain2's DNS Zone file is with GoDaddy and had their MX record until recently.  I have modified the MX record to point to my in-house Exchange server.  My Exchange server receives the incoming email and looks for a box.  If no box exists it sends it to GoDaddy to find a box there.

Up until 3/6 all emails for both domains were working fine.  On 3/9 I found out a few emails that were sent to were rejected due to SPF Record Unauthorized.  Same company that has been sending me emails without issue and all of a sudden cannot send me emails.

Around the same time I started moving over to Exchange and changing the MX record to point to me directly.

On that domain I have multiple complaints from companies indiicating their emails are bouncing with the same error.  However; I do not believe they are bouncing if a box exists on the Exchange server (I will have to double check that).


Therefore, my questions are:

1. Why the sudden rejection, especially on a domain that hasn't changed?
2. Are the email headers for incoming email being modified when it passes through my Exchange server (for Domain2) and therefore being rejected by GoDaddy when my Exchange server passes it onto GoDaddy?

If you think number 2 is true then why does it only reject a few?

Thank you for your time and help.
Question by:Adam D
  • 4
  • 2
LVL 17

Assisted Solution

fgrushevsky earned 500 total points
ID: 37744712
Godaddy checks incoming mail using SPF records - i.e. they check if server that sends mail is authorized to do so and the incoming mail is not spoofed.
To the best of my knowledge it is a global setting, enabled for all Godaddy customers and it can't be disabled by customer account or domain.

It looks like that the problem with domain1 lays on the sender side. The owner of the domain1 either recently published incorrect SPF records or  made changes to the sending servers (for example add a server or change existing server IP) without updating SPF records.  From my experience,  it happens quite often as usually different people responsible for mail server and for the DNS records
LVL 17

Assisted Solution

fgrushevsky earned 500 total points
ID: 37744743
On the Domain2 the change you made caused the problem.
Before the change all the companies with published SPF records were successfully sending mail, because mail was passing SPF validation by Godaddy.

What happens now is the mail from these companies goes to your Exchange server (where you don't care about SPF), then some mail for users that are not present on Exchange is going to Godaddy.  
So from Godaddy prospective it looks like your server is sending mail to Godaddy on behalf of all these companies.
Since your server is not listed in SPF records for all these companies as authorized server, Godaddy bounces these mails as spoofed!

I would try to setup the other way where mail shall go to Goddady first and then, if recipient mail box is not present, let Godaddy send mail to your Exchange server

Author Comment

by:Adam D
ID: 37750038
Thanks for your reply and information.

I had thought about that problem with Exchange being the "middleman."  Unfortunately I cannot setup GoDaddy to redirect if no box is found and this will be moot soon; but I would like to know how I can pass along the headers to GoDaddy when coming from Exchange so I can avoid this issue.

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

LVL 17

Accepted Solution

fgrushevsky earned 500 total points
ID: 37750168
The passing of the headers - even if possible - is not going to help.
Goddady is looking for an IP of connecting server (your Exchange server) and matching it against SPF records published in DNS

I would try to contact Godaddy support to see if they have an option to disable SPF check for a domain or an account. It was not an option in the past, but things might have changed...

Author Comment

by:Adam D
ID: 37750226
No, already checked. Global only...

No other solution?
LVL 17

Expert Comment

ID: 37750283
Sorry, I can't think of any other practical solutions :(

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question