[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

SPF record on domain

Posted on 2012-08-30
8
Medium Priority
?
4,225 Views
Last Modified: 2012-09-05
Hello,

We have a couple of domains, and the emails for them are going through MessageLabs into our exchange server. Yesterday we had an email bounced back with the following error:

smtp.asia.secureserver.net #<smtp.asia.secureserver.net #5.7.1 smtp; 550 5.7.1 SPF unauthorized mail is prohibited.> #SMTP#


We checked the domain and it seems to have a SPF record - v=spf1 mx -all

It is this correct, and if not how to fix that issue ?
0
Comment
Question by:goliveuk
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 800 total points
ID: 38349097
v=spf1 mx -all
This means that any server that is an MX host for your domain is allowed to send mail.
That could mean that the server that originally send this message isn't defined in an MX record.
0
 
LVL 33

Assisted Solution

by:Exchange_Geek
Exchange_Geek earned 400 total points
ID: 38349324
Are we talking about you're email getting rejected OR an external sender getting bounce-back from you're environment?

If this is your email getting rejected, understand that the email which originated isn't part of you're SPF and hence the rejection (more explanation given by erniebeek).

If this is the email rejection of an external sender - either they do not have an SPF Or their SPF doesn't have the sending IP in their SPF record.

That's it.

Regards,
Exchange_Geek
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38349331
@Exchange_Geek: good catch :)
I automatically assumed it was their email getting rejected. And with computers: never assume anything...........
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 33

Expert Comment

by:Exchange_Geek
ID: 38349351
@erniebeek: I've learnt an important lesson working in IT of course with bad experiences - never "assume" anything :)

Regards,
Exchange_Geek
0
 
LVL 3

Assisted Solution

by:bluebook
bluebook earned 800 total points
ID: 38356309
You need to include the messagelabs-defined SPF records in your own SPF record thus:

v=spf1 include:spf.messagelabs.com -all

If you some of your mail doesn't go through messagelabs but uses other of your MX hosts, then you can keep the mx reference in your SPF record as well.

Your MX records will only point to a subset of MessageLabs infrastructure, but under some circumstances your outbound mail may come from parts of it which are not in your MX records.  Hence the need to include it all in your SPF record.
0
 

Author Comment

by:goliveuk
ID: 38360492
Hello Bluebook,

Thank you for your post. I just spoke with MessageLabs and they told to add this SPF record  v=spf1 include:spf.messagelabs.com ~all

As far as I understand the only thing that I need to do is to replace this: v=spf1 mx -all  with this one: v=spf1 include:spf.messagelabs.com ~all  right ?
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 800 total points
ID: 38360559
Always be carefull when using includes, some reading: http://www.openspf.org/SPF_Record_Syntax#include

The are testing sites for (your) spf records: http://www.kitterman.com/spf/validate.html 
And also sites that help you creating an spf: http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/
0
 
LVL 3

Accepted Solution

by:
bluebook earned 800 total points
ID: 38361930
Yes that's right.  However you might want to consider using -all instead of ~all, since you currently have -all set.  That would keep the behaviour the same as it is currently.  -all means "hard fail" - i.e. any mail coming from an address that is not included in your SPF record should be rejected.  ~all is a soft fail, which means essentially that it *might* be spoofed, and so the recipient server should subject it to additional checks (i.e. treat it with suspicion if it's not coming from one of the IPs in the SPF record).
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
LinkedIn blogging is great for networking, building up an audience, and expanding your influence as well. However, if you want to achieve these results, you need to work really hard to make your post worth liking and sharing. Here are 4 tips that ca…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question