Solved

Unable to send email to certain domains, I get a 553 SPF error message

Posted on 2014-12-30
14
4,059 Views
Last Modified: 2015-01-07
I currently administer a corporate network. We have a single email server on our corporate network. We receive emails through our ISP. They come through to our exchange 2013 on the inbound connector. Emails going out are set to our ISP through smtp2x.isp.com. My current MX records show the following:
 corporate.com.             86400   IN      MX      5 mail.corporate.
 corporate.com.             86400   IN      MX      10 vmx1.isp.com.

 I am able to send emails to all domains but about 2 weeks ago I started receiving the same error message for emails sent to 3 particular domains:

 The following message to <user.test@corp2.com> was undeliverable.
 The reason for the problem:
 5.1.0 - Unknown address error 553-'SPF (Sender Policy Framework) domain authentication\nfail. Refer to the Troubleshooting page at\nhttp://www.symanteccloud.com/troubleshooting for more\ninformation. (#5.7.1)'

 I suspect that it could relate to my SPF records in my zone file but am not receiving any assistance from my ISP who hosts my zone file. I am trying to implement SPF to address this issue.

 Any assistance would be greatly appreciated.

 Thanks.
0
Comment
Question by:fijiboy
  • 7
  • 3
  • 2
  • +2
14 Comments
 

Author Comment

by:fijiboy
ID: 40524994
Just to add to my previous question. If I do need an SPF record do I need to also add in something to cater for the mail.corporate.com. ?
0
 
LVL 5

Expert Comment

by:Hello World
ID: 40525032
I want to confirm whether destination domain enable the sender ID filter, more details about it for your reference:
http://technet.microsoft.com/en-us/library/aa996295(v=exchg.150).aspx

Destination email systems use SPF record to verify that messages originate from authorized outbound email servers. Therefore, we must create properly SPF record in DNS server, please refer to:
http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/
0
 
LVL 7

Expert Comment

by:dsnegi_25dec
ID: 40525058
ISP will not help you...try to contact email gateway provider which ever you are using .

http://www.wikihow.com/Configure-an-SPF-Record-for-Your-Domain
0
 

Author Comment

by:fijiboy
ID: 40525173
@ Allen Wang. DOes the destination domain need to have the sender ID filter enabled for my SPF records to work??
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40525195
If the ISP who hosts your domain is not prepared to help, then move the domain DNS somewhere else.
They have obviously screwed up the SPF records. Have you used any of the public tools to query the SPF records to ensure that they are correct?

SPF records have to be spot on correct, if they are not then you will have email rejected. If the ISP is changing their network configuration but failing to update the DNS records to reflect that then it is probably better to have no SPF records.

Simon.
0
 

Author Comment

by:fijiboy
ID: 40525205
Thanks. My ISP has asked me to suppky tgem with my SPF records for the zone file. Trying to understand and come up with the correct syntax for the records.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40525216
If you are routing your email out through the ISP, then they are in the best position to answer that question.
You have to list every server (either by IP address or wildcards) that could be sending email for your domain. Your own Exchange server is not involved if you are using the ISP as a smart host, so you wouldn't list it.

Simon.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 8

Expert Comment

by:Jessie Gill, CISSP
ID: 40525861
Use this link to create your SPF

http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/

or this

http://www.spfwizard.net/


also some information on how an SPF looks, with examples
http://www.openspf.org/FAQ/Examples
0
 

Author Comment

by:fijiboy
ID: 40526107
Hi. Thank you all for your comments.....clearing a lot of doubts on my end. So my email server forward email to my ISP to the following: smtp2x.ISP.com with an ip of 2xx.1xx.6x.2xx, this then relays the emails out. In my SPF record would I only need to refer to my MX records and my ISP connector i.e. smtp2x.ISP.com? So something like this......

v=spf1 mx ip4:2xx.1xx.6x.2xx -all

I currently have: v=spf1 ip4:A.B.C.D ~all

where A.B.C.D refers to the external IP of my mail server.
0
 
LVL 8

Expert Comment

by:Jessie Gill, CISSP
ID: 40526125
So you are using your ISP as a smart host, As long as the header information in your email references smtp2x.isp.com as the sending server then you could do the below.  As for adding an IP, Usually ISP's have multiple IP addresses or at least change them when they want, so if you added an IP in your spf and the ISP changes it then you would end up with an invalid SPF.  If the IP is static then add it also.  Also only use MX if receiving servers are the same as your sending servers, because MX records are used to determine where to send mail to.  

Without IP
 v=spf1 mx a:smtp2x.ISP.com -all

With IP
v=spf1 mx ip4:2xx.1xx.6x.2xx a:smtp2x.ISP.com -all
0
 

Author Comment

by:fijiboy
ID: 40526257
Ok. Will try this out. How long after the zone file is updated can I run an email test?
0
 

Author Comment

by:fijiboy
ID: 40526819
Hi. My ISP has updated my zone file with my current SPF record:

"v=spf1 mx a:smtp2x.isp.com -all"

I did not create an A record for smtp2x.isp.com but only mentioned it in the SPF record.

I also did an nslookup on google and get the correct record, but I am still getting the same error:

The following message to <user.test@example.com> was undeliverable.
The reason for the problem:
5.1.0 - Unknown address error 553-'SPF (Sender Policy Framework) domain authentication\nfail. Refer to the Troubleshooting page at\nhttp://www.symanteccloud.com/troubleshooting for more\n information. (#5.7.1)'

This only happens to the 3 domains that we try to send emails to. Emails to every other domain works perfectly.
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 40528871
Are all three domains returning the same error? If so, it could be that the change isn't being seen by the Symantec Cloud service (previously known as Message Labs).
You probably don't get the error on other domains because most sites do not use SPF records.

Simon.
0
 

Author Comment

by:fijiboy
ID: 40532450
Hi Simon.

Yes that is correct. The situation has improved slightly with some emails to the 3 domains going through and some getting this error.

Still trying to work through it using suggestions from this forum and research.

Thanks.
0

Featured Post

The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

Join & Write a Comment

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now