Matt Kendall
asked on
Strange SPF - Exchange Email issue
Hi all, I'm having an issue with an SPF record on an exchange server that's confusing me. We have all the correct DNS settings set up for a mail server "mail.domain.com". We have a txt record with:
v=spf1 mx -all
Which should mean it will allow mail from the mx server (which is "mail.domain.com"), yet when we send email to a certain client (who is outside the network), their email server rejects it with a SPF record error: SPF unauthorized mail is prohibited.
More specifically:
someserver.secureserver.ne t gave this error:
SPF unauthorized mail is prohibited
(that's the receiving server)
It sends the original headers back with the email and it says:
Generating server: EXCHANGE.domain.local
someserver.secureserver.ne t #550 5.7.1 SPF unauthorized mail is prohibited.
Received: from EXCHANGE.domain.local (192.168.1.21) by EXCHANGE.domain.local
(instead of the outside domain)
Also, another part says
x-originating-ip: [192.168.1.110]
Which is their internal IP address that I obviously can't add to the SPF record. I'm guessing this is somehow the problem, the external mail server is somehow getting the internal IP address of the mail server, and it's rejecting it due to the spf?
Does anyone know might be wrong with the setup?
v=spf1 mx -all
Which should mean it will allow mail from the mx server (which is "mail.domain.com"), yet when we send email to a certain client (who is outside the network), their email server rejects it with a SPF record error: SPF unauthorized mail is prohibited.
More specifically:
someserver.secureserver.ne
SPF unauthorized mail is prohibited
(that's the receiving server)
It sends the original headers back with the email and it says:
Generating server: EXCHANGE.domain.local
someserver.secureserver.ne
Received: from EXCHANGE.domain.local (192.168.1.21) by EXCHANGE.domain.local
(instead of the outside domain)
Also, another part says
x-originating-ip: [192.168.1.110]
Which is their internal IP address that I obviously can't add to the SPF record. I'm guessing this is somehow the problem, the external mail server is somehow getting the internal IP address of the mail server, and it's rejecting it due to the spf?
Does anyone know might be wrong with the setup?
ASKER
It looks like it is a configuration issue because that test email is rejecting them as well, except it's giving the outside IP address of the mail server. I've added a ip4:<outside ip address>/24 to the spf. The mailserver's IP address last number is 89, but the test email said it came from 90, so I figure adding the netmask 24 should get all the available numbers at the end in case it changes.
It looks like the dns has a ttl of 4 hours so I'll know in a few hours if it worked..
It looks like the dns has a ttl of 4 hours so I'll know in a few hours if it worked..
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It doesn't sound like there's anything wrong with your SPF, but it looks like the intermediate server does not perform SRS correctly, resulting in downstream SPF failure.
The SPF was wrong. Inbound IP was different to outbound IP, so just having MX in the SPF record caused a FAIL on SPF check.
Alan
Alan
ASKER
Thanks so much! I'm not getting send errors anymore.
You are welcome. Happy to help.
Alan
Alan
http://www.kitterman.com/spf/validate.html
If you would like a 2nd opinion, please drop me a test email to testmail@sohomail.co.uk and I'll check my Anti-Spam logs for the IP / SPF etc and report back.
Sounds like it might just be them, but you never know.
Alan