DNS/PTR Mismatch and SPF record

Posted on 2012-03-21
Last Modified: 2012-04-05
I am having issues emailing some customers.  The error I receive is the following:

You do not have permission to send to this recipient.  For assistance, contact your system administrator.
            <hercules.domain.local #5.7.1 smtp;554 5.7.1 Sender DNS/PTR Mismatch: IP Address for PTR Hostname does not match sending IP:[75.x.x.x] - Possible Forgery>

I did not configure our DNS records originally and I believe certain records such as SPF and PTR are not configured correctly.

Our mx record points to MXlogic.  So any incoming email goes to MXlogic/McAfee to be scanned.  Our exchange server is and points to 75.x.x.30.  Our Exchange server is behind our firewall which has an ip of 75.x.x.20 so this is the IP other SMTP servers will see our emails coming from.  

This is where I am confused.  If I do an nslookup for 75.x.x.20 I get and I don't even know where the name came from.  If I do an nslookup for I get the ip of my www record which does not match my firewall ip 75.x.x.20.  I don't have the on Network solutions so I am assuming this is a record at the ISP.  I am wondering if the mismatch is because the IP where my emails are coming from resolves to a record which its IP does not match the sender IP in this case 75.x.x.20.

What is my outgoing IP (75.x.x.20) supposed to resolve to? is currently pointing to 75.x.x.30 and the record is used by MXlogic to forward our incoming emails.
The other thing that happens is if I do a test connectivity using and use the outbound emial test, the result comes back with everything ok except for the SPF record that it is not found.  The test asks me for the outgoing ip so I use 75.x.x.20.
If I do a SPF test using mxtoolbox and use it doesn't find anything, but if I use it finds the following:

Type      Domain Name      TTL      Record
TXT      2 hrs      v=spf1 mx ip4:75.x.x.20 ~all
TXT      60 min      v=spf1 ptr ~all

Record: v=spf1 mx ip4:75.x.x.20 ~all
Prefix      Type      Value      Prefix Desc      Description
+      mx            Pass      Match if IP is one of the MX hosts for given domain name
+      ip4      75.x.x.20      Pass      Match if IP is in the given range
~      all            SoftFail      Always matches. It goes at the end of your record.
reverse lookup      smtp diag      blacklist      port scan
Question by:cartereverett
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
LVL 21

Accepted Solution

Papertrip earned 500 total points
ID: 37750064
Alright this isn't as bad as it seems and should be easy to fix.

First off your sending IP of 75.x.x.20 needs to have a PTR record and matching A record.  If you already have at 75.x.x.30 and is for incoming only, then create a new hostname for your outgoing server / 75.x.x.20.  The name doesn't matter just make sure the records match and that if possible change the SMTP banner / HELO to match as well.  At work for my sending servers we use, just an example.

Now the SPF record you pasted is only for mails that have an envelope-from of  Aside from that it appears you have 2 SPF records, you should only have per sending domain.

If 75.x.x.20 is your only sending IP for, then

"v=spf1 ip4:75.x.x.20 -all"

Open in new window

Having the mx mechanism in there allows your incoming mail servers to send mail from your domain as well, so that is unnecessary unless MXlogic is also sending for you.  Same thing goes for the entire 2nd SPF record.
LVL 21

Expert Comment

ID: 37750083
Oh and you need to contact your ISP to get the PTR record for 75.x.x.20 changed.

Typo in first comment:
Aside from that it appears you have 2 SPF records, you should only have one per sending domain.
LVL 41

Expert Comment

by:Adam Brown
ID: 37750210
Out of curiosity, is your outgoing mail going to MXLogic as well, or is it going to mail servers directly from your Exchange server?
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.


Author Comment

ID: 37750216
It used to go to MXLogic because we wanted to archive our emails with them, but we canceled the archiving options and we are only using incoming spam/anti-malware filtering.
LVL 41

Expert Comment

by:Adam Brown
ID: 37750241
If you're not sending from MXLogic, you can remove the second SPF Record from your DNS:
TXT      60 min      v=spf1 ptr ~all

This might be throwing things off. Also, contact your ISP to make sure you have a PTR record for your Domain Name as has been mentioned. Also, the SPF record needs to match what is after the @ in your email addresses. So the SPF record should be set on if your email address is
LVL 21

Expert Comment

ID: 37750268
To clarify there shouldn't even be a 2nd SPF record, it is clearly against the SPF RFC.

Also to clarify SPF checks against the envelope-from, not the body-from (and are able to check against HELO per RFC).

Author Comment

ID: 37750280
Got it PaperTrip.  I did my changes and removed the second SPF.

I have one more question.  I sent a test to Gmail and my changes are showing up now.  I can see the received-from as  However, the Message-ID shows <65D9A9F334ED8A48B9E6108528349EC70FCAA1F8@servername.mydomain.local>.  How can this be changed?

I am running Exc 2003.
LVL 21

Expert Comment

ID: 37750290
That sounds like it might be the SMTP banner name or HELO name.  I'm not an Exchange guy so not sure of the exact setting.

BTW in the 1st SPF record there is the mx mechanism which says that MXlogic is also able to send from your domain, fyi.

Author Comment

ID: 37750317
I removed the MXLogic SPF and left "v=spf1 ip4:75.x.x.20 -all".  Like I explained before, they were technically sending email for us before because all outgoing emails were going to them to get archived and they would them to the final destination.
LVL 40

Expert Comment

ID: 37750943
The Message-ID contains the internal name of your server and is not tied to your SMTP banner.  There is no way to change it, and really it's not important if someone sees the internal name of your Exchange, so don't worry about it.

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Suggested Courses

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question