Solved

Exchange 2010, 450 Sender SPF Temporary Error

Posted on 2014-10-31
16
178 Views
Last Modified: 2015-06-02
I had an outside client report that our emails to them were being delayed by up to 8 hours.  I went looking and right off the bat, in the queue viewer I see an entry for their domain with 26 messages backed up.

All messages have the same Last Error:

450 [XXXX random ACSII characters] sender <user@mydomain.org> SPF Temporary Error

I have googled far and wide and cannot find a resolution for this.  I've checked my own SPF on MXToolbox.com and it reads as good.  I checked the destinations's SPF record, it was good too.

I checked the transport log and did not have an entry for these backed up messages so I am unsure of where to look next.
0
Comment
Question by:Ben Hart
  • 8
  • 4
  • 3
  • +1
16 Comments
 
LVL 8

Assisted Solution

by:tshearon
tshearon earned 167 total points
Comment Utility
Can you connect (establish an smtp connection) from your sending mail server to their mail server via telnet over port 25?
0
 
LVL 14

Author Comment

by:Ben Hart
Comment Utility
I can and get the same error.

220 relay3.edgewebhosting.net ESMTP Haraka 2.2.8 ready (781407F4-755D-426A-B19D-
95CEA2F010CF)
ehlo
501 [781407F4-755D-426A-B19D-95CEA2F010CF] EHLO requires domain/address - see RF
C-2821 4.1.1.1
EHLO domain.net
250-relay3.edgewebhosting.net Hello internetmail.domain.net [xx.xx.xxx.xx]
], Haraka is at your service.
250-PIPELINING
250-8BITMIME
250 SIZE 0
mail from: bhart@domain.net
250 sender <bhart@domain.net> OK
rcpt to: jacindac@destination.com
450 [781407F4-755D-426A-B19D-95CEA2F010CF.1] sender <bhart@domain.net> SP
F Temporary Error
0
 
LVL 8

Expert Comment

by:tshearon
Comment Utility
So it looks like the problem is on their end.
0
 
LVL 14

Author Comment

by:Ben Hart
Comment Utility
I was unsure about whose end it's on since it specifies the sender SPF.. which I am the sender.
0
 
LVL 14

Author Comment

by:Ben Hart
Comment Utility
So how could one resolve this issue, like if this was happened on my end?  MXToolbox says their SPF record is valid, could they have maybe incorrect SPF check settings?  Maybe a weird SenderID filter?
I need to be able to give them direction to support the claim that it's on their end if at all possible.
0
 
LVL 14

Author Comment

by:Ben Hart
Comment Utility
Anyone?
0
 
LVL 30

Assisted Solution

by:Gareth Gudger
Gareth Gudger earned 166 total points
Comment Utility
Only the Sender's SPF record is checked during mail transmission. Any chance your mail server is not always sending from the same Public IP? Are you going through any kind of outbound filtering? Whether on-premise or in the cloud? If so, is that device included in your SPF record? Any problems sending to anyone else?
0
 
LVL 19

Expert Comment

by:Adam Farage
Comment Utility
Is your SPF record valid? The error you got from the EHLO Telnet session shows that this might not be the case, so I would recommend reviewing your SPF to make sure that it is 100% valid.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 14

Author Comment

by:Ben Hart
Comment Utility
This particular destination domain is the only one that gives this error that's been reported.  MXToolbox says my SPF is valid, and I won;t be like other people and say nothing on my end has been changed.

On Tuesday of last week I added an SPF entry for a hybrid Office365 deployment.

My current (and for the last 5 years) SPF record:

"v=spf mx a:internetmail.unifiedbrands.net ?all"

On Tuesday I left that line alone and added:

"v=spf1 includes:spf.protection.outlook.com -all"


Now on Friday I removed that latter line, restarted BIND And up until 5 hours later the problem was still occurring.

Testing it with Telnet this morning the results are different.  The error no longer occurs so... to my understanding a domain can have multiple SPF records... and since the sending address was unifiedbrands.net and not something.something.outlook.com I'd believe that the outlook SPF should not have had a dog in that fight.


Can anyone explain where the break down was?


Also for the record, we only have the one Barracuda spam filter and it does not scan outgoing items.
And only the 1 Exchange 2010 server is allowed to send out on port 25 as per the ASA 5500.


According to our parent company we *need* that Outlook related SPF record so... since the plan is to move ahead with a migration to O365 do you guys think maybe things would go smoother if I remove our SPF totally?
0
 
LVL 19

Accepted Solution

by:
Adam Farage earned 167 total points
Comment Utility
Do NOT remove your SPF totally, as you are going to see a world of issues. My recommendation is to keep both SPF entries (for your on-prem org + O365) and when you are finished with your migration to O365 I would then remove the on-prem listing in the SPF record.

Furthermore have you checked the recipient SPF. It was late last night when I wrote that and thinking back now I think *there* organization's SPF might not be working. Depending on your settings you could be doing an SPF check prior to sending (which is rare, but we do it where I work).
0
 
LVL 14

Author Comment

by:Ben Hart
Comment Utility
I did'nt want to trust me.  I'm just not familiar enough with the 365 stuff.

So in checking the destinations SPF MXToolbox, http://www.kitterman.com/getspf2.py both have an issue with their SPF record but I cannot gauge what exactly the problem is.

What's going to confound this problem is that email host has whitelisted my domain.  So I can't really test further, but according to the technical POC at the destination company my domain was the only ones they had issues with.. and from my end their domain was the only one I had issues with.
0
 
LVL 8

Expert Comment

by:tshearon
Comment Utility
They are always going to say that. As I said previously this is their issue. You are going to be hard pressed to troubleshoot that without their cooperation.
0
 
LVL 19

Expert Comment

by:Adam Farage
Comment Utility
kitterman.com looks fine to me.
0
 
LVL 14

Author Comment

by:Ben Hart
Comment Utility
I used that url Adam, to test the destination's SPF>  The recipient domain is unisourcemarketing.com

You did say that tshearon, but I need more info to help support that to my manager. That's why I didn't close this yet.
0
 
LVL 19

Expert Comment

by:Adam Farage
Comment Utility
That SPF is fine and the DNS FQDN is not blacklisted.
0
 
LVL 14

Author Comment

by:Ben Hart
Comment Utility
The problem makes no sense then.  Like I said they whitelisted my domain so I guess the problem is 'fixed' now but I'd really like to know the cause.
0

Featured Post

Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

Join & Write a Comment

Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now