DNS/PTR Mismatch and SPF record
I am having issues emailing some customers. The error I receive is the following:
You do not have permission to send to this recipient. For assistance, contact your system administrator.
<hercules.domain.local #5.7.1 smtp;554 5.7.1 Sender DNS/PTR Mismatch: IP Address for PTR Hostname does not match sending IP:[75.x.x.x] - Possible Forgery>
I did not configure our DNS records originally and I believe certain records such as SPF and PTR are not configured correctly.
Our mx record points to MXlogic. So any incoming email goes to MXlogic/McAfee to be scanned. Our exchange server is mail.mydomain.com and points to 75.x.x.30. Our Exchange server is behind our firewall which has an ip of 75.x.x.20 so this is the IP other SMTP servers will see our emails coming from.
This is where I am confused. If I do an nslookup for 75.x.x.20 I get host162.mydomain.com and I don't even know where the name came from. If I do an nslookup for host162.mydomain.com I get the ip of my www record which does not match my firewall ip 75.x.x.20. I don't have the host162.mydomain.com on Network solutions so I am assuming this is a record at the ISP. I am wondering if the mismatch is because the IP where my emails are coming from resolves to a record which its IP does not match the sender IP in this case 75.x.x.20.
What is my outgoing IP (75.x.x.20) supposed to resolve to? mail.mydomain.com?
mail.mydomain.com is currently pointing to 75.x.x.30 and the record is used by MXlogic to forward our incoming emails.
.
The other thing that happens is if I do a test connectivity using textexchangeconnectivity.c
If I do a SPF test using mxtoolbox and use mydomain.com it doesn't find anything, but if I use mail.mydomain.com it finds the following:
Type Domain Name TTL Record
TXT mail.mydomain.com 2 hrs v=spf1 mx ip4:75.x.x.20 ~all
TXT mail.mydomain.com 60 min v=spf1 ptr include:mxlogic.net ~all
Record: v=spf1 mx ip4:75.x.x.20 ~all
Prefix Type Value Prefix Desc Description
+ mx Pass Match if IP is one of the MX hosts for given domain name
+ ip4 75.x.x.20 Pass Match if IP is in the given range
~ all SoftFail Always matches. It goes at the end of your record.
reverse lookup smtp diag blacklist port scan
You do not have permission to send to this recipient. For assistance, contact your system administrator.
<hercules.domain.local #5.7.1 smtp;554 5.7.1 Sender DNS/PTR Mismatch: IP Address for PTR Hostname does not match sending IP:[75.x.x.x] - Possible Forgery>
I did not configure our DNS records originally and I believe certain records such as SPF and PTR are not configured correctly.
Our mx record points to MXlogic. So any incoming email goes to MXlogic/McAfee to be scanned. Our exchange server is mail.mydomain.com and points to 75.x.x.30. Our Exchange server is behind our firewall which has an ip of 75.x.x.20 so this is the IP other SMTP servers will see our emails coming from.
This is where I am confused. If I do an nslookup for 75.x.x.20 I get host162.mydomain.com and I don't even know where the name came from. If I do an nslookup for host162.mydomain.com I get the ip of my www record which does not match my firewall ip 75.x.x.20. I don't have the host162.mydomain.com on Network solutions so I am assuming this is a record at the ISP. I am wondering if the mismatch is because the IP where my emails are coming from resolves to a record which its IP does not match the sender IP in this case 75.x.x.20.
What is my outgoing IP (75.x.x.20) supposed to resolve to? mail.mydomain.com?
mail.mydomain.com is currently pointing to 75.x.x.30 and the record is used by MXlogic to forward our incoming emails.
.
The other thing that happens is if I do a test connectivity using textexchangeconnectivity.c
If I do a SPF test using mxtoolbox and use mydomain.com it doesn't find anything, but if I use mail.mydomain.com it finds the following:
Type Domain Name TTL Record
TXT mail.mydomain.com 2 hrs v=spf1 mx ip4:75.x.x.20 ~all
TXT mail.mydomain.com 60 min v=spf1 ptr include:mxlogic.net ~all
Record: v=spf1 mx ip4:75.x.x.20 ~all
Prefix Type Value Prefix Desc Description
+ mx Pass Match if IP is one of the MX hosts for given domain name
+ ip4 75.x.x.20 Pass Match if IP is in the given range
~ all SoftFail Always matches. It goes at the end of your record.
reverse lookup smtp diag blacklist port scan
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Out of curiosity, is your outgoing mail going to MXLogic as well, or is it going to mail servers directly from your Exchange server?
ASKER
It used to go to MXLogic because we wanted to archive our emails with them, but we canceled the archiving options and we are only using incoming spam/anti-malware filtering.
If you're not sending from MXLogic, you can remove the second SPF Record from your DNS:
TXT mail.mydomain.com 60 min v=spf1 ptr include:mxlogic.net ~all
This might be throwing things off. Also, contact your ISP to make sure you have a PTR record for your Domain Name as has been mentioned. Also, the SPF record needs to match what is after the @ in your email addresses. So the SPF record should be set on domain.com if your email address is user@domain.com
TXT mail.mydomain.com 60 min v=spf1 ptr include:mxlogic.net ~all
This might be throwing things off. Also, contact your ISP to make sure you have a PTR record for your Domain Name as has been mentioned. Also, the SPF record needs to match what is after the @ in your email addresses. So the SPF record should be set on domain.com if your email address is user@domain.com
To clarify there shouldn't even be a 2nd SPF record, it is clearly against the SPF RFC.
Also to clarify SPF checks against the envelope-from, not the body-from (and are able to check against HELO per RFC).
Also to clarify SPF checks against the envelope-from, not the body-from (and are able to check against HELO per RFC).
ASKER
Got it PaperTrip. I did my changes and removed the second SPF.
I have one more question. I sent a test to Gmail and my changes are showing up now. I can see the received-from as mx.mydomain.com. However, the Message-ID shows <65D9A9F334ED8A48B9E610852
I am running Exc 2003.
I have one more question. I sent a test to Gmail and my changes are showing up now. I can see the received-from as mx.mydomain.com. However, the Message-ID shows <65D9A9F334ED8A48B9E610852
I am running Exc 2003.
That sounds like it might be the SMTP banner name or HELO name. I'm not an Exchange guy so not sure of the exact setting.
BTW in the 1st SPF record there is the mx mechanism which says that MXlogic is also able to send from your domain, fyi.
BTW in the 1st SPF record there is the mx mechanism which says that MXlogic is also able to send from your domain, fyi.
ASKER
I removed the MXLogic SPF and left "v=spf1 ip4:75.x.x.20 -all". Like I explained before, they were technically sending email for us before because all outgoing emails were going to them to get archived and they would them to the final destination.
The Message-ID contains the internal name of your server and is not tied to your SMTP banner. There is no way to change it, and really it's not important if someone sees the internal name of your Exchange, so don't worry about it.
Typo in first comment:
Aside from that it appears you have 2 SPF records, you should only have one per sending domain.