Solved

SPF record preventing a user from sending e-mails

Posted on 2014-10-14
23
266 Views
Last Modified: 2014-10-25
Hi

   There was a SMTP communication problem with the recipient's email server.  Please contact your system administrator.
            <hbex01.domainname.com #5.5.0 smtp;550 SPF: x.x.x.x is not allowed to send mail from domainname.com>

When I preform the following command in NSLOOKUP

Set type=txt
domainname.com

I get the following

"v=spf1 mx ptr mx:mx.domainname.com mx:mx.domainname.com -all"

I am not sure what the ptr here means (Reversed IP) ?

Now I do not know the Service Provider for this client and obviously I need to change the spf record ...what is the best way or best tool to know where this domain and his mail mx record is registered? What does the ptr means here?

Thanks
0
Comment
Question by:M SOS
  • 12
  • 9
23 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40381078
You can go to http://www.whois.com/whois/domainname.com which should tell you where the Nameservers for the domain are located.

You can also visit www.dnsstuff.com and run a domain report (might not be free).

Alan
0
 

Author Comment

by:M SOS
ID: 40381081
One more question please:

I am right thinking that the SPF record which verify the sender does not match user address?
0
 

Author Comment

by:M SOS
ID: 40381092
When I go to mxtoolbox.com and run a SPF check I get


Test      Result
OK      SPF Record Deprecated      There are no records of type SPF
OK      SPF Invalid Syntax              The SPF record is valid
OK      SPF No Records                      SPF record found
OK      SPF Multiple Records              Less than two SPF records found

So what could be the problem?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40381109
An SPF record publishes the mail servers that are permitted to send mail on behalf of a domain, so if someone sends an email, the recipient is able to check the SPF for the sending domain name to verify if the IP Address that the email is coming from is listed as one of the authorised servers to send mail on behalf of that domain.

If the check fails, then the recipient server is able to reject the mail with an SPF Fail result.

You can use the following site to check / verify an SPF record and the sending IP, so that you can get the SPF right.

http://www.kitterman.com/spf/validate.html

It is better to have no SPF record than a badly configured one.

If you want to post / email me the domain name and I can get more specific (I can hide the domain name here if you post it so that it doesn't become public property) / run the cheek for you.

Alan
0
 
LVL 27

Expert Comment

by:davorin
ID: 40381112
Here you can see the explanation of usage of spf records:
http://helpwiki.easydns.com/index.php/Sender_Policy_Framework

ptr means that hostname(s) for the client IP address are looked from PTR (or reverse DNS) records.

In short, with SPF record you can specify from which hosts, servers and IP addresses can be sent mails from specified domain.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40381115
Oh - and by the way - welcome to Experts Exchange.  Hope you find it to be a useful and helpful site :)

Alan
0
 

Author Comment

by:M SOS
ID: 40381118
Thanks

Here is the test.

SPF record lookup and validation for: domainname.com

SPF records are published in DNS as TXT records.

The TXT records found for your domain are:
v=spf1 mx ptr mx:mx.domainname.com mx:mx.domainname.com -all

Checking to see if there is a valid SPF record.

Found v=spf1 record for domainname.com:
v=spf1 mx ptr mx:mx.domainname.com mx:mx.domainname.com -all

evaluating...
SPF record passed validation test with pySPF (Python SPF library)!

I think he is the only user in his domain that get a rejected message.

Why is that any help please?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40381124
If the test passes - are you adding in all the correct settings for the particular user?

If you have an Exchange server - is the user configured to use Outlook Anywhere so that emails are actually sent from the server and not Outlook locally or is the user configured using a POP3 account?

Alan
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40381130
In the SPF Test page, enter the IP that failed according to the rejection.  Enter the SPF record into the 2nd field, then the email address in the 3rd and the FQDN on the SEND Connector of your Exchange server and then test.

Does it pass still?
0
 

Author Comment

by:M SOS
ID: 40381144
Apparently  I cannot test the SPF I am unable to enter the SPF format correctly

mbiguous SPF Ambiguity Warning: No MX records found for mx mechanism: mx.domain.com
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40381157
I hid the domain name you may have inadvertently posted :)

According to the DNS Report I ran on the domain name, you use Google for Mail.

Your SPF record should work with just the following info:

v=spf1 mx ptr -all

Anything else is just a waste of time (not to mention incorrectly configured).
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40381161
You may also want to check with Google that the SPF record you have configured is correct and amend it accordingly.
0
 

Author Comment

by:M SOS
ID: 40381162
NO I meant to give it to you in my last post
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40381171
Ah - not a problem.  Thank you.  Details all hidden.

The IP Address you posted will fail the SPF check as it isn't a Postini IP Address / isn't included within the scope of the MX part of the SPF record.

Is that the sending IP for all users or just this one problem user?
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 40381173
According to the following Postini page:

https://support.google.com/postini/answer/132370?hl=en

SPF outbound:
Setting up SPF DNS entries as follows will minimize non-deliveries through outbound. Use this if you ONLY send your outgoing messages via email security outbound services:


"v=spf1 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:74.125.148.0/22 ip4:74.125.244.0/22 ip4:123.45.6.7 ~all"

Running a test on the test site gives an SPF PASS result using that IP Address.
0
 

Author Comment

by:M SOS
ID: 40381176
There was a SMTP communication problem with the recipient's email server.  Please contact your system administrator.
            <server.domain.com #5.5.0 smtp;550 SPF: 207.xxx.xx.200 is not allowed to send mail from domain.com>

The user gets this msg when he sends an e-mail

I am confused now What should I do?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40381183
Looks like the control panel for the domain is located here:

http://www.dotster.com

You will need to login (or ask George for details) and then change the SPF record to the one listed above (v=spf1 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:74.125.148.0/22 ip4:74.125.244.0/22 ip4:123.45.6.7 ~all) and the problem should go away.

Do you know if you / George has access to this site to login?

Alan
0
 

Author Comment

by:M SOS
ID: 40381186
I will check when I get in touch...

Thanks very much for your help .. I will keep you updated.
0
 

Author Comment

by:M SOS
ID: 40381201
Just a thought though

Why he is the only user in the domain who can not send e-mails?

I think the rest of the users are fine!

Thanks
0
 

Author Comment

by:M SOS
ID: 40381206
and where did you get these ip addresses from pleas? ip4:64.18.0.0/20 74.125.148.0/22

74.125.244.0/22 ip4:123.45.6.7 ?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40381210
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40381212
Does he always face the problem or only when at home / away from the office, or is it just certain domains he sends to?
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now