Resolve Message rejected because SPF check failed>

hi
 
 When a user sends and email to any of our users they are getting the following error

 SMTP; 550 5.7.1 550 Message rejected because SPF check failed> #SMTP#

 what can I allow the emails to be received.

thanks
CBBNet AdminAsked:
Who is Participating?
 
Manpreet SIngh KhatraConnect With a Mentor Solutions Architect, Project LeadCommented:
Do a spf check on MS or Kitterman.com site and ensure it isnt giving any errors

- Rancy
0
 
CBBNet AdminAuthor Commented:
here aer the results from ktterman

SPF record lookup and validation for: isumail.centralbank.org.bz
SPF records are primarily published in DNS as TXT records.

The TXT records found for your domain are:


SPF records should also be published in DNS as type SPF records.

No type SPF records found.

Checking to see if there is a valid SPF record.

No valid SPF record found of either type TXT or type SPF.
0
 
browningitConnect With a Mentor SysadminCommented:
You can use the information from this site:

http://kbase.gfi.com/showarticle.asp?id=KBID003567

In combination with the tool he uses to create an SPF record:

http://www.openspf.org/

Cheers,
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Some domains do check for SPF and PTR (I guess some like AOL and others)

- Rancy
0
 
CBBNet AdminAuthor Commented:
hi rancy

So I need to create a SPF record for my email domain
or the users domain that is trying to send us an email needs to create an SPF record
thanks
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Who receives the NDR if its them they have to create it as its unable to verify their DOmain ... i will tell you what happens if you have domain ABC.com and i use some site or software to generate an email with Myname@ABC.com (the generation server of the email isnt your servers) so the server firewall in front would think its a spam and hence reject

- Rancy
0
 
CBBNet AdminAuthor Commented:
I check out the site and do not find the tool to create a SPf record for my domain

In combination with the tool he uses to create an SPF record:

http://www.openspf.org/

thanks
0
 
CBBNet AdminAuthor Commented:
hi I found the following website
http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/

 to create a SPF record but I need the last step
can you please assist me in this step. The steps where I will add the record


Your SPF record must be published in DNS records of type TXT under centralbank.org.bz Consult the documentation of your DNS administration tools for further details on publishing this.
Thanks
0
 
browningitConnect With a Mentor SysadminCommented:
I don't know what version of server you are using, but follow these steps:

Login to the DNS server using administrative privileges
Open the 'DNS' Console in 'Administrative Tools'
Expand 'DNS' > 'Forward Lookup Zones'
Select and open the domain in which you wish to add the SPF record. Right-click in the record list and select 'Other New Records..' from the menu
Select the 'Text (TXT)' record and click on the 'Create Record...' button
Type the SPF record data in the 'Text' textbox. Click the 'OK' button.
Click on the 'Done' button to close the window and the SPF record is added
0
 
ddiazpCommented:
Am i the only one understanding this question?

It is the sending domain (not the OP, he's the receiving end) that seems to have invalid SPF setup, and they seem to have the '-all' flag at the end which tries to enforce emails to be rejected if they don't originate from the trusted IPs.

@OP, try this:

Disable anti-spam filtering on the receive connector. console -> Org config -> Hub role -> Anti spam filter tab to see if the situation improves.. Set it to something more permissive.

You also want to let the sender domain admins for them to fix/update their SPF setup.
0
 
CBBNet AdminAuthor Commented:
I do not have a receive connector only a send connector and it does not have a antispam filter tab

thanks
0
 
CBBNet AdminAuthor Commented:
hi

 Sorry for being so confused about SPF do I need to create a SPF record for my isumail.centralbank.org.bz which is my email server for my domain
centralbank.org.bz or both.
When I tried to created a SPF record for my email server I got the following message

No SPF Record Found. A and MX Records Available
[Warning]       No SPF record has been found for the domain isumail.centralbank.org.bz. However, MX and/or A records currently exist for this domain.
 
      
Addresses Listed in A records
200.32.252.18

This information may be of assistance in creating your new SPF record.

Thanks
0
 
CBBNet AdminAuthor Commented:
hi
 
The External DNS records for our domain are hosted outside at rackspace.com
Internally we have an email gateway (linux) and which has the external ip address (Mx record) for the domain.
It relays mail to inside to the Exchange servers.

Where do I create the SPF DNS records.

Thanks
0
 
ddiazpConnect With a Mentor Commented:
Hi cbbisu,

Here's what you have currently configured:

"v=spf1 a mx ~all"
"v=spf1 a:helmmail.ukdns.biz ~all"

Which should cover: 95.215.225.102, and 200.32.252.18.  This just confirms you're setup properly on your side.


The misconfiguration, like i said before, is on the sending domain, which is not you. You do not need to change anything on your side.

On the other hand, it's your Exchange server that is rejecting these emails because the emails are coming from an IP that is not allowed according to THEIR SPF record. Your server is doing what's expected, it's not at fault and it's the server admins on the sending side that need fix their issue.

You need to do 2 things:

1. Try to contact the admins on their side and let them be aware of the problem. Most likely they're having the same problem with sending email to other places as well.

2. Try and make Exchange be more lenient towards SPF checking so that it doesn't perform SPF checks for incoming mail. What version of exchange are you running?


If you do not have a receive connector, how are you receiving emails at all?
0
 
ddiazpCommented:
In this case it's your email gateway running on linux that's rejecting the emails. Have you looked at the logs in there and try to find the emails that are being rejected?
0
 
CBBNet AdminAuthor Commented:
You need to do 2 things:

1. Try to contact the admins on their side and let them be aware of the problem. Most likely they're having the same problem with sending email to other places as well.

2. Try and make Exchange be more lenient towards SPF checking so that it doesn't perform SPF checks for incoming mail. What version of exchange are you running?


If you do not have a receive connector, how are you receiving emails at all?

Thanks for all your assistance.
But here is a user horacio.vivas@commerzbank.com
if you perform a check on kitterman.com for commerzbank.com they have a valid SPF
so I do not believe that the problem is on their space.
0
 
CBBNet AdminAuthor Commented:
hi

 how do I take off
v=spf1 a mx ~all"

This record since this is not correct
"v=spf1 a:helmmail.ukdns.biz ~all"

thanks
marcos
0
 
CBBNet AdminAuthor Commented:
In this case it's your email gateway running on linux that's rejecting the emails. Have you looked at the logs in there and try to find the emails that are being rejected?

 I have checked the logs on the linux and it says the message is greylisted for 5 minutes
thanks for your time and assistance
0
 
ddiazpConnect With a Mentor Commented:
cbbisu,

They do have an SPF record:

v=spf1 a mx a:newsl.commerzbank.com -all

But it's not necessarily correct.

That  "-all" at the end says it all (that -all at the end of the record encourages mail servers to reject the email [like what your server is doing] if the email is not being received by 212.149.50.149, 212.149.50.150 or 212.149.48.100. Anything else will be dropped. You should check on your firewall logs to see if these emails are being received by some other IP


If you want to modify your SPF records, you need to either log in to your rackspace.com hosting account for your domain, or if you do not have access, find the person who does and get them to do it for you. Make sure you get permission from your supervisor before removing anything, as it will most likely make matters worse.


I deal with email deliverability on a daily basis for the most part of my job, and based on what i've read so far, you do not need to change anything on your side, I insist.

I've provided info to guide you on the right direction, but if you'd like to dig holes somewhere else, i cannot help you.
0
 
CBBNet AdminAuthor Commented:
hi ddiazp

 First of all thank you so much for all your assistance and patience. Our organization is very new to all these concepts.
  so you are saying that we do not need to create any SPF record to allow email to be received from these domains.
  The domains need to create an spf record.

thanks
Marcos
0
 
ddiazpCommented:
The sending domain is the one that has to get their SPF records in order. Your email server is doing what it's supposed to by rejecting the messages if they're not coming from the advertised IPs.

All exchange is doing is reading THEIR spf records to determine whether the email is legitimate or not. But this check is failing, most likely because the email is arriving from an IP not included on their SPF record.

Because their SPF record has a policy "-all", which means 'reject' all messages that are not specified on the record

So yeah, you do not need to modify your SPF record in order to be able to receive email from this domain properly.

http://www.openspf.org/SPF_Record_Syntax
0
 
CBBNet AdminAuthor Commented:
thanks everyone
0
 
ddiazpCommented:
Hi cbbisu,

Is the issue solved?

What steps were taken?
0
 
CBBNet AdminAuthor Commented:
We removed the setting on our Vipre Email Security and we created our own SPF record

http://www.kitterman.com/spf/validate.html

thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.