[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

SPF Notification question

Posted on 2014-08-25
8
Medium Priority
?
376 Views
Last Modified: 2014-08-25
Greetings.  I am pretty sure I have our SPF (TXT) record set up properly in DNS, but every so often we get an undeliverable message with an SPF link similar to:

Please see http://www.openspf.org/Why?xxxxxxxxxxxx

The resulting suggestion from Openspf.org is:

----------------------
MX1 rejected a message from a mail server claiming to be mail.our_domain.org.

MX1 received a message from mail.our_domain.org (xx.x.xxx.xx) from a mail server claiming to be mail.our_domain.org.

The domain mail.our_domain.org has not published an SPF policy. It is possible that the receiving mail server refuses all mail from domains that do not have an SPF policy.
----------------------

My guess is that the recipient's mail server or hosted filtering is doing a reverse DNS for:  mail.our_domain.org  or their SPF check is mistaking our "domain" as:  mail.our_domain.org  .... instead of correctly identifying our domain as:   our_domain.org

Suggestions ?  Anything we should change or is this a misconfiguration on the recipient's side ?

Thanks much.
-Stephen
0
Comment
Question by:lapavoni
  • 3
  • 3
  • 2
8 Comments
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 40284052
Well, was the IP address or name "mail.our_domain.org" valid? Was the message it rejected valid? The last sentence could just be a weirdness in the message, but the first 2 look like they COULD be correct. The whole point of SPF is for the remote mail server to check if the sending server is legit.
0
 

Author Comment

by:lapavoni
ID: 40284090
Yes the IP address and server name are correct.  However, if they're looking for a domain named "mail.our_domain.org", they won't find it.  "mail.our_domain.org" isn't a domain - it's an mx record under "our_domain.org"
0
 
LVL 62

Expert Comment

by:gheist
ID: 40284176
Would be helpful if you tell your domain so others can confirm your SPF record is present and correct.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:lapavoni
ID: 40284178
Domain is:  fairtradeusa.org
0
 
LVL 28

Accepted Solution

by:
mikebernhardt earned 1000 total points
ID: 40284234
It appears that your configuration is correct, so if it's only happening with one destination then I would assume it's a problem on their end. I do notice that
1. the IP address 173.231.134.176 doesn't resolve, but it's in the SPF record. If it isn't valid it should be removed.
2. 74.3.121.58 resolves to both mail.fairtradeusa.org and mail.transfairusa.org, but they are both in the SPF record so it should be OK.
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 1000 total points
ID: 40284246
it looks pretty OK
fairtradeusa.org.       3600    IN      TXT     "v=spf1 ip4:74.3.121.58/32 ip4:173.231.134.176/32 a:mail.transfairusa.org a:mail.fairtradeusa.org include:spf.protection.outlook.com -all"

i think /32 are obsolete
a: ? could taht be just mx/24 ?
Why would your rwcipiwnts need to do 5 DNS lookups to accept your mail? use IPs for hostnames.
0
 

Author Closing Comment

by:lapavoni
ID: 40284339
OK, thank you both for the suggestions.  I removed the /32 and the 173.231.134.176.  This IP is our static IP for our webserver.  Seems irrelevant as our mail server is completely separate.  I looked at our SMTP logs and all EHLO/HELO are for: mail.fairtradeusa.org   We had a previous CERT in the past that only had:  mail.transfairusa.org , so I think that was a remnant, but we still use that as an accepted domain for our Exchange server.

I am thinking the few SPF undeliverables are just unhappy or misconfigured servers on the other end.  I checked past undeliverables and noticed a few "grey listed" messages.  Interesting concept - grey listing.  Didn't look like the best way to protect against SPAM to me ... but maybe it used to be very effective - I don't know.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40284484
Make it soft fail  ~all and maybe remote site loads your SPF record sooner or later.
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question