Solved

SPF record preventing a user from sending e-mails

Posted on 2014-10-14
23
301 Views
Last Modified: 2014-10-25
Hi

   There was a SMTP communication problem with the recipient's email server.  Please contact your system administrator.
            <hbex01.domainname.com #5.5.0 smtp;550 SPF: x.x.x.x is not allowed to send mail from domainname.com>

When I preform the following command in NSLOOKUP

Set type=txt
domainname.com

I get the following

"v=spf1 mx ptr mx:mx.domainname.com mx:mx.domainname.com -all"

I am not sure what the ptr here means (Reversed IP) ?

Now I do not know the Service Provider for this client and obviously I need to change the spf record ...what is the best way or best tool to know where this domain and his mail mx record is registered? What does the ptr means here?

Thanks
0
Comment
Question by:M SOS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 9
23 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40381078
You can go to http://www.whois.com/whois/domainname.com which should tell you where the Nameservers for the domain are located.

You can also visit www.dnsstuff.com and run a domain report (might not be free).

Alan
0
 

Author Comment

by:M SOS
ID: 40381081
One more question please:

I am right thinking that the SPF record which verify the sender does not match user address?
0
 

Author Comment

by:M SOS
ID: 40381092
When I go to mxtoolbox.com and run a SPF check I get


Test      Result
OK      SPF Record Deprecated      There are no records of type SPF
OK      SPF Invalid Syntax              The SPF record is valid
OK      SPF No Records                      SPF record found
OK      SPF Multiple Records              Less than two SPF records found

So what could be the problem?
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40381109
An SPF record publishes the mail servers that are permitted to send mail on behalf of a domain, so if someone sends an email, the recipient is able to check the SPF for the sending domain name to verify if the IP Address that the email is coming from is listed as one of the authorised servers to send mail on behalf of that domain.

If the check fails, then the recipient server is able to reject the mail with an SPF Fail result.

You can use the following site to check / verify an SPF record and the sending IP, so that you can get the SPF right.

http://www.kitterman.com/spf/validate.html

It is better to have no SPF record than a badly configured one.

If you want to post / email me the domain name and I can get more specific (I can hide the domain name here if you post it so that it doesn't become public property) / run the cheek for you.

Alan
0
 
LVL 27

Expert Comment

by:davorin
ID: 40381112
Here you can see the explanation of usage of spf records:
http://helpwiki.easydns.com/index.php/Sender_Policy_Framework

ptr means that hostname(s) for the client IP address are looked from PTR (or reverse DNS) records.

In short, with SPF record you can specify from which hosts, servers and IP addresses can be sent mails from specified domain.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40381115
Oh - and by the way - welcome to Experts Exchange.  Hope you find it to be a useful and helpful site :)

Alan
0
 

Author Comment

by:M SOS
ID: 40381118
Thanks

Here is the test.

SPF record lookup and validation for: domainname.com

SPF records are published in DNS as TXT records.

The TXT records found for your domain are:
v=spf1 mx ptr mx:mx.domainname.com mx:mx.domainname.com -all

Checking to see if there is a valid SPF record.

Found v=spf1 record for domainname.com:
v=spf1 mx ptr mx:mx.domainname.com mx:mx.domainname.com -all

evaluating...
SPF record passed validation test with pySPF (Python SPF library)!

I think he is the only user in his domain that get a rejected message.

Why is that any help please?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40381124
If the test passes - are you adding in all the correct settings for the particular user?

If you have an Exchange server - is the user configured to use Outlook Anywhere so that emails are actually sent from the server and not Outlook locally or is the user configured using a POP3 account?

Alan
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40381130
In the SPF Test page, enter the IP that failed according to the rejection.  Enter the SPF record into the 2nd field, then the email address in the 3rd and the FQDN on the SEND Connector of your Exchange server and then test.

Does it pass still?
0
 

Author Comment

by:M SOS
ID: 40381144
Apparently  I cannot test the SPF I am unable to enter the SPF format correctly

mbiguous SPF Ambiguity Warning: No MX records found for mx mechanism: mx.domain.com
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40381157
I hid the domain name you may have inadvertently posted :)

According to the DNS Report I ran on the domain name, you use Google for Mail.

Your SPF record should work with just the following info:

v=spf1 mx ptr -all

Anything else is just a waste of time (not to mention incorrectly configured).
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40381161
You may also want to check with Google that the SPF record you have configured is correct and amend it accordingly.
0
 

Author Comment

by:M SOS
ID: 40381162
NO I meant to give it to you in my last post
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40381171
Ah - not a problem.  Thank you.  Details all hidden.

The IP Address you posted will fail the SPF check as it isn't a Postini IP Address / isn't included within the scope of the MX part of the SPF record.

Is that the sending IP for all users or just this one problem user?
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 40381173
According to the following Postini page:

https://support.google.com/postini/answer/132370?hl=en

SPF outbound:
Setting up SPF DNS entries as follows will minimize non-deliveries through outbound. Use this if you ONLY send your outgoing messages via email security outbound services:


"v=spf1 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:74.125.148.0/22 ip4:74.125.244.0/22 ip4:123.45.6.7 ~all"

Running a test on the test site gives an SPF PASS result using that IP Address.
0
 

Author Comment

by:M SOS
ID: 40381176
There was a SMTP communication problem with the recipient's email server.  Please contact your system administrator.
            <server.domain.com #5.5.0 smtp;550 SPF: 207.xxx.xx.200 is not allowed to send mail from domain.com>

The user gets this msg when he sends an e-mail

I am confused now What should I do?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40381183
Looks like the control panel for the domain is located here:

http://www.dotster.com

You will need to login (or ask George for details) and then change the SPF record to the one listed above (v=spf1 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:74.125.148.0/22 ip4:74.125.244.0/22 ip4:123.45.6.7 ~all) and the problem should go away.

Do you know if you / George has access to this site to login?

Alan
0
 

Author Comment

by:M SOS
ID: 40381186
I will check when I get in touch...

Thanks very much for your help .. I will keep you updated.
0
 

Author Comment

by:M SOS
ID: 40381201
Just a thought though

Why he is the only user in the domain who can not send e-mails?

I think the rest of the users are fine!

Thanks
0
 

Author Comment

by:M SOS
ID: 40381206
and where did you get these ip addresses from pleas? ip4:64.18.0.0/20 74.125.148.0/22

74.125.244.0/22 ip4:123.45.6.7 ?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40381210
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40381212
Does he always face the problem or only when at home / away from the office, or is it just certain domains he sends to?
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
This article will help to fix the below errors for MS Exchange Server 2013 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
how to add IIS SMTP to handle application/Scanner relays into office 365.
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question