• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 985
  • Last Modified:

Can't send email to a couple clients

One of my clients was having a problem sending mail to one domain.
I've been banging my head on this for a couple hours.  Originally it was a dns issue.  I resolved that, but now I'm not really sure what it is.  I think it's a postfix issue.

here is the error message we get

Last Error: 450 4.7.1 <xxxxxx@12thfloor.com.au>: Recipient address rejected: SPF-Result=ceelaw1.ceelaw.com.au: 'SERVFAIL' error on DNS 'SPF' lookup of 'ceelaw1.ceelaw.com.au'

ceelaw1.ceelaw.com.au resolves correctly.

here is our spf record: v=spf1 ip4: include:ceelaw1.ceelaw.com.au ~all

The only thing I can think of is that the reverse lookup on is not ceelaw1.ceelaw.com.au, but it's

Hoping someone could help.
1 Solution
LivetechsupportAuthor Commented:
Thanks for the response, but I don't have access to the postfix server, that belongs to the receipient...
Everything is good with our domain other then the reverse DNS..

The problem is that their Postfix is hard rejecting your messages when it should be soft-rejecting can you suggest the workround to the remote mail admin ?
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

LivetechsupportAuthor Commented:
I have sent them an email a few days ago, no response.
I just wanted another set of eyes to look at it in case I was missing something.
I can't believe I'd be the only person with this problem trying to send to them.

Normally, if your FQDN resolves to your IP specified then it will pass. It is possible however on devices to configure it to ALSO check the reverse IP as per this link :-


Could you not configure this so that whoever holds your external DNS records could create a PTR record to match the IP for this domain ? Even if it means changing your SPF record to resolve to the 46. IP address ?

Other than that, it is down to the remote messaging admin.
Firstly I would address your SPF record, I'm not going to post the MS link to the SPF wizard as Papertrip will be on my case ;-) ...(although he does have a point)

... But look at this current open question and follow Papertrips instructions here


Also change the PTR by contacting your ISP as currently you have their default assigned which is also causing you an issue
LivetechsupportAuthor Commented:
I will try and contact the isp to get the ptr record changed.
I did have my ptr record with only the ip address before, I added the include section recently, didn't make a difference.

Thanks for all the help

You don't need the include mechanism in your SPF record at all if you've only got the one outbound mail server.  That mechanism is for including another domain's SPF entries within yours, and since you've specified a hostname (which does not have its own SPF record) in that mechanism rather than a domain, that may very well be what's causing the problem: it can't look up an SPF record for the domain ceelaw1.ceelaw.com.au, because no such thing exists.

I'd remove include:ceelaw1.ceelaw.com.au from your SPF record entirely and test again.
Good point drDave
LivetechsupportAuthor Commented:
I got a response from the mailserver admin that our mail was being rejected because we had an ip address instead of a host name for our name servers.

Hi Mark,
The error is occurring because the NS records for that domain are invalid.

;ceelaw.com.au.                 IN      NS

ceelaw.com.au.          86400   IN      NS

;; Query time: 8 msec
;; WHEN: Mon Mar 26 10:46:18 2012
;; MSG SIZE  rcvd: 59

NS records must be domain-names (not IP addresses)

So I'll try and resolved that issue and let you all know how it works out.


While having an IP in the data portion of an NS record is not RFC compliant, it is not the source of this particular problem.

The problem here as previously mentioned is the include mechanism in your SPF record, as there is no SPF record for ceelaw1.ceelaw.com.au.

FYI while having ~all does mean softfail, it does not mean that the receiving server will not ultimately reject the message.  Also a 4xx reply is not a hardbounce but rather a softbounce.

DLeaver and DrDave are correct.

[root@broken ~]# dig txt ceelaw1.ceelaw.com.au

; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> txt ceelaw1.ceelaw.com.au
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64950
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;ceelaw1.ceelaw.com.au.		IN	TXT

ceelaw.com.au.		10474	IN	SOA	ns1.linode.com. luckystunter.gmail.com. 2012032264 14400 14400 1209600 86400

;; Query time: 1 msec

Open in new window


Featured Post

Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now