[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 963
  • Last Modified:

SPF and Reverse DNS Mail issues

I have and Exchange and Edge server sitting behind a Sonciwall firewall. I have a NAT setup for each server giving them public IPs as such:
Sonicwall xxx.xxx.xxx.210
Exchange xxx.xxx.xxx.213
Edge xxx.xxx.xxx.214

I having problems with some domains rejecting our emails because either the SPF record has failed or the Reverse DNS entry could not be found.

Now I have reverse dns on the Edge server, but all of my emails inthe oustide would look like they are from 210, and not 214 which is causing these issues.

I originally had an SPF record setup as "v=spf1 a mx ptr -all", but have changed it to "v=spf1 a mx ip4:xxx.xxx.xxx.210 ip4:xxx.xxx.xxx.214 ~all". This is with GOdaddy and obviously I used real numbers and not Xs.

How can I get my SPF and reverse DNS to pass without putting the edge server directly on the public network, which I will never do?
0
GMSMRM
Asked:
GMSMRM
  • 4
  • 3
1 Solution
 
Exchange_GeekCommented:
Which box is supposed to be sending emails outside to the internet - as in which is the last IP stamped in the email relay? You'll need to create a PTR Record for that IP Address pointing to the hostname.

Next, SPF also should have the public facing IP Address NOTHING internal to be provided on it.

Regards,
Exchange_Geek
0
 
GMSMRMAuthor Commented:
The Edge server is sending the emails but gets routed through the Sonicwall.

All of the addresses mentioned are public facing IPs.

Update: I recently ran another check from http://tools.bevhost.com/spf/ and it looks like the SPF has finally updated from my recent change and is says that it is passing.

I am testing with emails to domains that recently failed to confirm.
0
 
Exchange_GeekCommented:
If you have Sonicwall as you're firewall in that case, why having Edge to face the internet too?

I mean emails going out would get route via Sonicwall so let Edge sit calmly inside your environment.

Next, check the internet facing IP of Sonicwall and create a PTR record for it on public DNS.

Also, on SPF add -ip4: IP of Sonicwall along with mx and ptr and you should be good.

Regards,
Exchange_Geek
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
GMSMRMAuthor Commented:
I don't have Edge outside the Firewall. I have already done exactly as you mentioned. I am waiting on the SPF record to update and test. I will be back to let you know the results.

Thanks.
0
 
Exchange_GeekCommented:
Awesome.

Regards,
Exchange_Geek
0
 
GMSMRMAuthor Commented:
I am having issues now with outgoing emails stuck on the EDGE queue for rDNS failures due. I believe this is due to trying to perform an rDNS on my firewall IP.  This will not work.
0
 
Exchange_GeekCommented:
Why on earth would you perform rDNS on firewall IP, all i requested was to have PTR Record created for you're firewall internet facing IP on internet DNS.

Please tell me, this was done as requested.

Regards,
Exchange_Geek
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now