Solved

Strange SPF - Exchange Email issue

Posted on 2014-03-27
7
1,061 Views
Last Modified: 2014-03-27
Hi all, I'm having an issue with an SPF record on an exchange server that's confusing me.  We have all the correct DNS settings set up for a mail server "mail.domain.com".  We have a txt record with:
v=spf1 mx -all

Which should mean it will allow mail from the mx server (which is "mail.domain.com"), yet when we send email to a certain client (who is outside the network), their email server rejects it with a SPF record error: SPF unauthorized mail is prohibited.

More specifically:
someserver.secureserver.net gave this error:
SPF unauthorized mail is prohibited
(that's the receiving server)

It sends the original headers back with the email and it says:

Generating server: EXCHANGE.domain.local
someserver.secureserver.net #550 5.7.1 SPF unauthorized mail is prohibited.

Received: from EXCHANGE.domain.local (192.168.1.21)  by EXCHANGE.domain.local  

(instead of the outside domain)

Also, another part says
x-originating-ip: [192.168.1.110]

Which is their internal IP address that I obviously can't add to the SPF record.  I'm guessing this is somehow the problem, the external mail server is somehow getting the internal IP address of the mail server, and it's rejecting it due to the spf?

Does anyone know might be wrong with the setup?
0
Comment
Question by:kendalltech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39959668
Sounds like you have everything setup okay and you can test your SPF record here:

http://www.kitterman.com/spf/validate.html

If you would like a 2nd opinion, please drop me a test email to testmail@sohomail.co.uk and I'll check my Anti-Spam logs for the IP / SPF etc and report back.

Sounds like it might just be them, but you never know.

Alan
0
 
LVL 2

Author Comment

by:kendalltech
ID: 39960080
It looks like it is a configuration issue because that test email is rejecting them as well, except it's giving the outside IP address of the mail server.  I've added a ip4:<outside ip address>/24 to the spf.  The mailserver's IP address last number is 89, but the test email said it came from 90, so I figure adding the netmask 24 should get all the available numbers at the end in case it changes.  

It looks like the dns has a ttl of 4 hours so I'll know in a few hours if it worked..
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 39960194
Okay - you are sending out with an FQDN ending .local, which isn't correct - it should be your correct FQDN for your public domain which looks like #####nat.com

Your sending IP is xxx.xxx.xxx.90 and the SPF record you currently have for the domain is:

v=spf1 mx ip4:xxx.xxx.xxx.89/24 ip4:xxx.xxx.xxx.90/32 -all

Running that through on the Kitterman site does show a Pass, so it should sail through, but as you have recently made changes, then that will explain things.

Testing without the added IP's in the SPF record gives this:

Mail sent from this IP address: xxx.xxx.xxx.90
Mail from (Sender): user@#####nat.com
Mail checked using this SPF policy: v=spf1 mx -all
Results - FAIL Message may be rejected

You have mail arriving on one IP which resolves to mail.#####nat.com and sending from the xxx.xxx.xxx.90 IP, which is fine, but you need to create a new A record called something like outbound / send / something which points to the xxx.xxx.xxx.90 IP Address and setup your FQDN on your SEND Connector to match that name and then you should have fewer problems sending mail.  You also need to contact your ISP and ask them to setup Reverse DNS on the xxx.xxx.xxx.90 IP Address as outbound / send / something.#####nat.com to match the FQDN you choose.

Alan
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 25

Expert Comment

by:Marcus Bointon
ID: 39960335
It doesn't sound like there's anything wrong with your SPF, but it looks like the intermediate server does not perform SRS correctly, resulting in downstream SPF failure.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39960343
The SPF was wrong.  Inbound IP was different to outbound IP, so just having MX in the SPF record caused a FAIL on SPF check.

Alan
0
 
LVL 2

Author Closing Comment

by:kendalltech
ID: 39960351
Thanks so much!  I'm not getting send errors anymore.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39960355
You are welcome.  Happy to help.

Alan
0

Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question