Solved

Resolve Message rejected because SPF check failed>

Posted on 2013-01-22
24
7,417 Views
Last Modified: 2013-01-28
hi
 
 When a user sends and email to any of our users they are getting the following error

 SMTP; 550 5.7.1 550 Message rejected because SPF check failed> #SMTP#

 what can I allow the emails to be received.

thanks
0
Comment
Question by:cbbisu
  • 13
  • 6
  • 3
  • +1
24 Comments
 
LVL 52

Accepted Solution

by:
Manpreet SIngh Khatra earned 100 total points
ID: 38807178
Do a spf check on MS or Kitterman.com site and ensure it isnt giving any errors

- Rancy
0
 

Author Comment

by:cbbisu
ID: 38807202
here aer the results from ktterman

SPF record lookup and validation for: isumail.centralbank.org.bz
SPF records are primarily published in DNS as TXT records.

The TXT records found for your domain are:


SPF records should also be published in DNS as type SPF records.

No type SPF records found.

Checking to see if there is a valid SPF record.

No valid SPF record found of either type TXT or type SPF.
0
 
LVL 2

Assisted Solution

by:browningit
browningit earned 200 total points
ID: 38807228
You can use the information from this site:

http://kbase.gfi.com/showarticle.asp?id=KBID003567

In combination with the tool he uses to create an SPF record:

http://www.openspf.org/

Cheers,
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 38807230
Some domains do check for SPF and PTR (I guess some like AOL and others)

- Rancy
0
 

Author Comment

by:cbbisu
ID: 38807253
hi rancy

So I need to create a SPF record for my email domain
or the users domain that is trying to send us an email needs to create an SPF record
thanks
0
 
LVL 52

Expert Comment

by:Manpreet SIngh Khatra
ID: 38807273
Who receives the NDR if its them they have to create it as its unable to verify their DOmain ... i will tell you what happens if you have domain ABC.com and i use some site or software to generate an email with Myname@ABC.com (the generation server of the email isnt your servers) so the server firewall in front would think its a spam and hence reject

- Rancy
0
 

Author Comment

by:cbbisu
ID: 38807290
I check out the site and do not find the tool to create a SPf record for my domain

In combination with the tool he uses to create an SPF record:

http://www.openspf.org/

thanks
0
 

Author Comment

by:cbbisu
ID: 38807406
hi I found the following website
http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/

 to create a SPF record but I need the last step
can you please assist me in this step. The steps where I will add the record


Your SPF record must be published in DNS records of type TXT under centralbank.org.bz Consult the documentation of your DNS administration tools for further details on publishing this.
Thanks
0
 
LVL 2

Assisted Solution

by:browningit
browningit earned 200 total points
ID: 38807437
I don't know what version of server you are using, but follow these steps:

Login to the DNS server using administrative privileges
Open the 'DNS' Console in 'Administrative Tools'
Expand 'DNS' > 'Forward Lookup Zones'
Select and open the domain in which you wish to add the SPF record. Right-click in the record list and select 'Other New Records..' from the menu
Select the 'Text (TXT)' record and click on the 'Create Record...' button
Type the SPF record data in the 'Text' textbox. Click the 'OK' button.
Click on the 'Done' button to close the window and the SPF record is added
0
 
LVL 10

Expert Comment

by:ddiazp
ID: 38808456
Am i the only one understanding this question?

It is the sending domain (not the OP, he's the receiving end) that seems to have invalid SPF setup, and they seem to have the '-all' flag at the end which tries to enforce emails to be rejected if they don't originate from the trusted IPs.

@OP, try this:

Disable anti-spam filtering on the receive connector. console -> Org config -> Hub role -> Anti spam filter tab to see if the situation improves.. Set it to something more permissive.

You also want to let the sender domain admins for them to fix/update their SPF setup.
0
 

Author Comment

by:cbbisu
ID: 38809960
I do not have a receive connector only a send connector and it does not have a antispam filter tab

thanks
0
 

Author Comment

by:cbbisu
ID: 38810013
hi

 Sorry for being so confused about SPF do I need to create a SPF record for my isumail.centralbank.org.bz which is my email server for my domain
centralbank.org.bz or both.
When I tried to created a SPF record for my email server I got the following message

No SPF Record Found. A and MX Records Available
[Warning]       No SPF record has been found for the domain isumail.centralbank.org.bz. However, MX and/or A records currently exist for this domain.
 
      
Addresses Listed in A records
200.32.252.18

This information may be of assistance in creating your new SPF record.

Thanks
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:cbbisu
ID: 38810230
hi
 
The External DNS records for our domain are hosted outside at rackspace.com
Internally we have an email gateway (linux) and which has the external ip address (Mx record) for the domain.
It relays mail to inside to the Exchange servers.

Where do I create the SPF DNS records.

Thanks
0
 
LVL 10

Assisted Solution

by:ddiazp
ddiazp earned 200 total points
ID: 38810240
Hi cbbisu,

Here's what you have currently configured:

"v=spf1 a mx ~all"
"v=spf1 a:helmmail.ukdns.biz ~all"

Which should cover: 95.215.225.102, and 200.32.252.18.  This just confirms you're setup properly on your side.


The misconfiguration, like i said before, is on the sending domain, which is not you. You do not need to change anything on your side.

On the other hand, it's your Exchange server that is rejecting these emails because the emails are coming from an IP that is not allowed according to THEIR SPF record. Your server is doing what's expected, it's not at fault and it's the server admins on the sending side that need fix their issue.

You need to do 2 things:

1. Try to contact the admins on their side and let them be aware of the problem. Most likely they're having the same problem with sending email to other places as well.

2. Try and make Exchange be more lenient towards SPF checking so that it doesn't perform SPF checks for incoming mail. What version of exchange are you running?


If you do not have a receive connector, how are you receiving emails at all?
0
 
LVL 10

Expert Comment

by:ddiazp
ID: 38810254
In this case it's your email gateway running on linux that's rejecting the emails. Have you looked at the logs in there and try to find the emails that are being rejected?
0
 

Author Comment

by:cbbisu
ID: 38810298
You need to do 2 things:

1. Try to contact the admins on their side and let them be aware of the problem. Most likely they're having the same problem with sending email to other places as well.

2. Try and make Exchange be more lenient towards SPF checking so that it doesn't perform SPF checks for incoming mail. What version of exchange are you running?


If you do not have a receive connector, how are you receiving emails at all?

Thanks for all your assistance.
But here is a user horacio.vivas@commerzbank.com
if you perform a check on kitterman.com for commerzbank.com they have a valid SPF
so I do not believe that the problem is on their space.
0
 

Author Comment

by:cbbisu
ID: 38810301
hi

 how do I take off
v=spf1 a mx ~all"

This record since this is not correct
"v=spf1 a:helmmail.ukdns.biz ~all"

thanks
marcos
0
 

Author Comment

by:cbbisu
ID: 38810425
In this case it's your email gateway running on linux that's rejecting the emails. Have you looked at the logs in there and try to find the emails that are being rejected?

 I have checked the logs on the linux and it says the message is greylisted for 5 minutes
thanks for your time and assistance
0
 
LVL 10

Assisted Solution

by:ddiazp
ddiazp earned 200 total points
ID: 38810506
cbbisu,

They do have an SPF record:

v=spf1 a mx a:newsl.commerzbank.com -all

But it's not necessarily correct.

That  "-all" at the end says it all (that -all at the end of the record encourages mail servers to reject the email [like what your server is doing] if the email is not being received by 212.149.50.149, 212.149.50.150 or 212.149.48.100. Anything else will be dropped. You should check on your firewall logs to see if these emails are being received by some other IP


If you want to modify your SPF records, you need to either log in to your rackspace.com hosting account for your domain, or if you do not have access, find the person who does and get them to do it for you. Make sure you get permission from your supervisor before removing anything, as it will most likely make matters worse.


I deal with email deliverability on a daily basis for the most part of my job, and based on what i've read so far, you do not need to change anything on your side, I insist.

I've provided info to guide you on the right direction, but if you'd like to dig holes somewhere else, i cannot help you.
0
 

Author Comment

by:cbbisu
ID: 38812365
hi ddiazp

 First of all thank you so much for all your assistance and patience. Our organization is very new to all these concepts.
  so you are saying that we do not need to create any SPF record to allow email to be received from these domains.
  The domains need to create an spf record.

thanks
Marcos
0
 
LVL 10

Expert Comment

by:ddiazp
ID: 38812403
The sending domain is the one that has to get their SPF records in order. Your email server is doing what it's supposed to by rejecting the messages if they're not coming from the advertised IPs.

All exchange is doing is reading THEIR spf records to determine whether the email is legitimate or not. But this check is failing, most likely because the email is arriving from an IP not included on their SPF record.

Because their SPF record has a policy "-all", which means 'reject' all messages that are not specified on the record

So yeah, you do not need to modify your SPF record in order to be able to receive email from this domain properly.

http://www.openspf.org/SPF_Record_Syntax
0
 

Author Closing Comment

by:cbbisu
ID: 38818796
thanks everyone
0
 
LVL 10

Expert Comment

by:ddiazp
ID: 38819597
Hi cbbisu,

Is the issue solved?

What steps were taken?
0
 

Author Comment

by:cbbisu
ID: 38827660
We removed the setting on our Vipre Email Security and we created our own SPF record

http://www.kitterman.com/spf/validate.html

thanks
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
how to add IIS SMTP to handle application/Scanner relays into office 365.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now