Exchange 2010, 450 Sender SPF Temporary Error

I had an outside client report that our emails to them were being delayed by up to 8 hours.  I went looking and right off the bat, in the queue viewer I see an entry for their domain with 26 messages backed up.

All messages have the same Last Error:

450 [XXXX random ACSII characters] sender <> SPF Temporary Error

I have googled far and wide and cannot find a resolution for this.  I've checked my own SPF on and it reads as good.  I checked the destinations's SPF record, it was good too.

I checked the transport log and did not have an entry for these backed up messages so I am unsure of where to look next.
LVL 14
Ben HartAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Can you connect (establish an smtp connection) from your sending mail server to their mail server via telnet over port 25?
Ben HartAuthor Commented:
I can and get the same error.

220 ESMTP Haraka 2.2.8 ready (781407F4-755D-426A-B19D-
501 [781407F4-755D-426A-B19D-95CEA2F010CF] EHLO requires domain/address - see RF
EHLO Hello []
], Haraka is at your service.
250 SIZE 0
mail from:
250 sender <> OK
rcpt to:
450 [781407F4-755D-426A-B19D-95CEA2F010CF.1] sender <> SP
F Temporary Error
So it looks like the problem is on their end.
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

Ben HartAuthor Commented:
I was unsure about whose end it's on since it specifies the sender SPF.. which I am the sender.
Ben HartAuthor Commented:
So how could one resolve this issue, like if this was happened on my end?  MXToolbox says their SPF record is valid, could they have maybe incorrect SPF check settings?  Maybe a weird SenderID filter?
I need to be able to give them direction to support the claim that it's on their end if at all possible.
Ben HartAuthor Commented:
Gareth GudgerSolution ArchitectCommented:
Only the Sender's SPF record is checked during mail transmission. Any chance your mail server is not always sending from the same Public IP? Are you going through any kind of outbound filtering? Whether on-premise or in the cloud? If so, is that device included in your SPF record? Any problems sending to anyone else?
Adam FarageSr. Enterprise ArchitectCommented:
Is your SPF record valid? The error you got from the EHLO Telnet session shows that this might not be the case, so I would recommend reviewing your SPF to make sure that it is 100% valid.
Ben HartAuthor Commented:
This particular destination domain is the only one that gives this error that's been reported.  MXToolbox says my SPF is valid, and I won;t be like other people and say nothing on my end has been changed.

On Tuesday of last week I added an SPF entry for a hybrid Office365 deployment.

My current (and for the last 5 years) SPF record:

"v=spf mx ?all"

On Tuesday I left that line alone and added:

"v=spf1 -all"

Now on Friday I removed that latter line, restarted BIND And up until 5 hours later the problem was still occurring.

Testing it with Telnet this morning the results are different.  The error no longer occurs so... to my understanding a domain can have multiple SPF records... and since the sending address was and not I'd believe that the outlook SPF should not have had a dog in that fight.

Can anyone explain where the break down was?

Also for the record, we only have the one Barracuda spam filter and it does not scan outgoing items.
And only the 1 Exchange 2010 server is allowed to send out on port 25 as per the ASA 5500.

According to our parent company we *need* that Outlook related SPF record so... since the plan is to move ahead with a migration to O365 do you guys think maybe things would go smoother if I remove our SPF totally?
Adam FarageSr. Enterprise ArchitectCommented:
Do NOT remove your SPF totally, as you are going to see a world of issues. My recommendation is to keep both SPF entries (for your on-prem org + O365) and when you are finished with your migration to O365 I would then remove the on-prem listing in the SPF record.

Furthermore have you checked the recipient SPF. It was late last night when I wrote that and thinking back now I think *there* organization's SPF might not be working. Depending on your settings you could be doing an SPF check prior to sending (which is rare, but we do it where I work).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ben HartAuthor Commented:
I did'nt want to trust me.  I'm just not familiar enough with the 365 stuff.

So in checking the destinations SPF MXToolbox, both have an issue with their SPF record but I cannot gauge what exactly the problem is.

What's going to confound this problem is that email host has whitelisted my domain.  So I can't really test further, but according to the technical POC at the destination company my domain was the only ones they had issues with.. and from my end their domain was the only one I had issues with.
They are always going to say that. As I said previously this is their issue. You are going to be hard pressed to troubleshoot that without their cooperation.
Adam FarageSr. Enterprise ArchitectCommented: looks fine to me.
Ben HartAuthor Commented:
I used that url Adam, to test the destination's SPF>  The recipient domain is

You did say that tshearon, but I need more info to help support that to my manager. That's why I didn't close this yet.
Adam FarageSr. Enterprise ArchitectCommented:
That SPF is fine and the DNS FQDN is not blacklisted.
Ben HartAuthor Commented:
The problem makes no sense then.  Like I said they whitelisted my domain so I guess the problem is 'fixed' now but I'd really like to know the cause.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.