SPF record on domain


We have a couple of domains, and the emails for them are going through MessageLabs into our exchange server. Yesterday we had an email bounced back with the following error:

smtp.asia.secureserver.net #<smtp.asia.secureserver.net #5.7.1 smtp; 550 5.7.1 SPF unauthorized mail is prohibited.> #SMTP#

We checked the domain and it seems to have a SPF record - v=spf1 mx -all

It is this correct, and if not how to fix that issue ?
Who is Participating?
bluebookConnect With a Mentor Commented:
Yes that's right.  However you might want to consider using -all instead of ~all, since you currently have -all set.  That would keep the behaviour the same as it is currently.  -all means "hard fail" - i.e. any mail coming from an address that is not included in your SPF record should be rejected.  ~all is a soft fail, which means essentially that it *might* be spoofed, and so the recipient server should subject it to additional checks (i.e. treat it with suspicion if it's not coming from one of the IPs in the SPF record).
Ernie BeekConnect With a Mentor ExpertCommented:
v=spf1 mx -all
This means that any server that is an MX host for your domain is allowed to send mail.
That could mean that the server that originally send this message isn't defined in an MX record.
Exchange_GeekConnect With a Mentor Commented:
Are we talking about you're email getting rejected OR an external sender getting bounce-back from you're environment?

If this is your email getting rejected, understand that the email which originated isn't part of you're SPF and hence the rejection (more explanation given by erniebeek).

If this is the email rejection of an external sender - either they do not have an SPF Or their SPF doesn't have the sending IP in their SPF record.

That's it.

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Ernie BeekExpertCommented:
@Exchange_Geek: good catch :)
I automatically assumed it was their email getting rejected. And with computers: never assume anything...........
@erniebeek: I've learnt an important lesson working in IT of course with bad experiences - never "assume" anything :)

bluebookConnect With a Mentor Commented:
You need to include the messagelabs-defined SPF records in your own SPF record thus:

v=spf1 include:spf.messagelabs.com -all

If you some of your mail doesn't go through messagelabs but uses other of your MX hosts, then you can keep the mx reference in your SPF record as well.

Your MX records will only point to a subset of MessageLabs infrastructure, but under some circumstances your outbound mail may come from parts of it which are not in your MX records.  Hence the need to include it all in your SPF record.
goliveukAuthor Commented:
Hello Bluebook,

Thank you for your post. I just spoke with MessageLabs and they told to add this SPF record  v=spf1 include:spf.messagelabs.com ~all

As far as I understand the only thing that I need to do is to replace this: v=spf1 mx -all  with this one: v=spf1 include:spf.messagelabs.com ~all  right ?
Ernie BeekConnect With a Mentor ExpertCommented:
Always be carefull when using includes, some reading: http://www.openspf.org/SPF_Record_Syntax#include

The are testing sites for (your) spf records: http://www.kitterman.com/spf/validate.html 
And also sites that help you creating an spf: http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.