SPF Notification question
Greetings. I am pretty sure I have our SPF (TXT) record set up properly in DNS, but every so often we get an undeliverable message with an SPF link similar to:
Please see http://www.openspf.org/Why?xxxxxxxxxxxx
The resulting suggestion from Openspf.org is:
----------------------
MX1 rejected a message from a mail server claiming to be mail.our_domain.org.
MX1 received a message from mail.our_domain.org (xx.x.xxx.xx) from a mail server claiming to be mail.our_domain.org.
The domain mail.our_domain.org has not published an SPF policy. It is possible that the receiving mail server refuses all mail from domains that do not have an SPF policy.
----------------------
My guess is that the recipient's mail server or hosted filtering is doing a reverse DNS for: mail.our_domain.org or their SPF check is mistaking our "domain" as: mail.our_domain.org .... instead of correctly identifying our domain as: our_domain.org
Suggestions ? Anything we should change or is this a misconfiguration on the recipient's side ?
Thanks much.
-Stephen
Please see http://www.openspf.org/Why?xxxxxxxxxxxx
The resulting suggestion from Openspf.org is:
----------------------
MX1 rejected a message from a mail server claiming to be mail.our_domain.org.
MX1 received a message from mail.our_domain.org (xx.x.xxx.xx) from a mail server claiming to be mail.our_domain.org.
The domain mail.our_domain.org has not published an SPF policy. It is possible that the receiving mail server refuses all mail from domains that do not have an SPF policy.
----------------------
My guess is that the recipient's mail server or hosted filtering is doing a reverse DNS for: mail.our_domain.org or their SPF check is mistaking our "domain" as: mail.our_domain.org .... instead of correctly identifying our domain as: our_domain.org
Suggestions ? Anything we should change or is this a misconfiguration on the recipient's side ?
Thanks much.
-Stephen
mikebernhardt
Well, was the IP address or name "mail.our_domain.org" valid? Was the message it rejected valid? The last sentence could just be a weirdness in the message, but the first 2 look like they COULD be correct. The whole point of SPF is for the remote mail server to check if the sending server is legit.
ASKER
Yes the IP address and server name are correct. However, if they're looking for a domain named "mail.our_domain.org", they won't find it. "mail.our_domain.org" isn't a domain - it's an mx record under "our_domain.org"
Would be helpful if you tell your domain so others can confirm your SPF record is present and correct.
ASKER
Domain is: fairtradeusa.org
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK, thank you both for the suggestions. I removed the /32 and the 173.231.134.176. This IP is our static IP for our webserver. Seems irrelevant as our mail server is completely separate. I looked at our SMTP logs and all EHLO/HELO are for: mail.fairtradeusa.org We had a previous CERT in the past that only had: mail.transfairusa.org , so I think that was a remnant, but we still use that as an accepted domain for our Exchange server.
I am thinking the few SPF undeliverables are just unhappy or misconfigured servers on the other end. I checked past undeliverables and noticed a few "grey listed" messages. Interesting concept - grey listing. Didn't look like the best way to protect against SPAM to me ... but maybe it used to be very effective - I don't know.
I am thinking the few SPF undeliverables are just unhappy or misconfigured servers on the other end. I checked past undeliverables and noticed a few "grey listed" messages. Interesting concept - grey listing. Didn't look like the best way to protect against SPAM to me ... but maybe it used to be very effective - I don't know.
Make it soft fail ~all and maybe remote site loads your SPF record sooner or later.