Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5201
  • Last Modified:

Unable to send email to certain domains, I get a 553 SPF error message

I currently administer a corporate network. We have a single email server on our corporate network. We receive emails through our ISP. They come through to our exchange 2013 on the inbound connector. Emails going out are set to our ISP through smtp2x.isp.com. My current MX records show the following:
 corporate.com.             86400   IN      MX      5 mail.corporate.
 corporate.com.             86400   IN      MX      10 vmx1.isp.com.

 I am able to send emails to all domains but about 2 weeks ago I started receiving the same error message for emails sent to 3 particular domains:

 The following message to <user.test@corp2.com> was undeliverable.
 The reason for the problem:
 5.1.0 - Unknown address error 553-'SPF (Sender Policy Framework) domain authentication\nfail. Refer to the Troubleshooting page at\nhttp://www.symanteccloud.com/troubleshooting for more\ninformation. (#5.7.1)'

 I suspect that it could relate to my SPF records in my zone file but am not receiving any assistance from my ISP who hosts my zone file. I am trying to implement SPF to address this issue.

 Any assistance would be greatly appreciated.

 Thanks.
0
fijiboy
Asked:
fijiboy
  • 7
  • 3
  • 2
  • +2
1 Solution
 
fijiboyAuthor Commented:
Just to add to my previous question. If I do need an SPF record do I need to also add in something to cater for the mail.corporate.com. ?
0
 
Hello WorldCommented:
I want to confirm whether destination domain enable the sender ID filter, more details about it for your reference:
http://technet.microsoft.com/en-us/library/aa996295(v=exchg.150).aspx

Destination email systems use SPF record to verify that messages originate from authorized outbound email servers. Therefore, we must create properly SPF record in DNS server, please refer to:
http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/
0
 
dsnegi_25decCommented:
ISP will not help you...try to contact email gateway provider which ever you are using .

http://www.wikihow.com/Configure-an-SPF-Record-for-Your-Domain
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
fijiboyAuthor Commented:
@ Allen Wang. DOes the destination domain need to have the sender ID filter enabled for my SPF records to work??
0
 
Simon Butler (Sembee)ConsultantCommented:
If the ISP who hosts your domain is not prepared to help, then move the domain DNS somewhere else.
They have obviously screwed up the SPF records. Have you used any of the public tools to query the SPF records to ensure that they are correct?

SPF records have to be spot on correct, if they are not then you will have email rejected. If the ISP is changing their network configuration but failing to update the DNS records to reflect that then it is probably better to have no SPF records.

Simon.
0
 
fijiboyAuthor Commented:
Thanks. My ISP has asked me to suppky tgem with my SPF records for the zone file. Trying to understand and come up with the correct syntax for the records.
0
 
Simon Butler (Sembee)ConsultantCommented:
If you are routing your email out through the ISP, then they are in the best position to answer that question.
You have to list every server (either by IP address or wildcards) that could be sending email for your domain. Your own Exchange server is not involved if you are using the ISP as a smart host, so you wouldn't list it.

Simon.
0
 
Jessie Gill, CISSPCommented:
Use this link to create your SPF

http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/

or this

http://www.spfwizard.net/


also some information on how an SPF looks, with examples
http://www.openspf.org/FAQ/Examples
0
 
fijiboyAuthor Commented:
Hi. Thank you all for your comments.....clearing a lot of doubts on my end. So my email server forward email to my ISP to the following: smtp2x.ISP.com with an ip of 2xx.1xx.6x.2xx, this then relays the emails out. In my SPF record would I only need to refer to my MX records and my ISP connector i.e. smtp2x.ISP.com? So something like this......

v=spf1 mx ip4:2xx.1xx.6x.2xx -all

I currently have: v=spf1 ip4:A.B.C.D ~all

where A.B.C.D refers to the external IP of my mail server.
0
 
Jessie Gill, CISSPCommented:
So you are using your ISP as a smart host, As long as the header information in your email references smtp2x.isp.com as the sending server then you could do the below.  As for adding an IP, Usually ISP's have multiple IP addresses or at least change them when they want, so if you added an IP in your spf and the ISP changes it then you would end up with an invalid SPF.  If the IP is static then add it also.  Also only use MX if receiving servers are the same as your sending servers, because MX records are used to determine where to send mail to.  

Without IP
 v=spf1 mx a:smtp2x.ISP.com -all

With IP
v=spf1 mx ip4:2xx.1xx.6x.2xx a:smtp2x.ISP.com -all
0
 
fijiboyAuthor Commented:
Ok. Will try this out. How long after the zone file is updated can I run an email test?
0
 
fijiboyAuthor Commented:
Hi. My ISP has updated my zone file with my current SPF record:

"v=spf1 mx a:smtp2x.isp.com -all"

I did not create an A record for smtp2x.isp.com but only mentioned it in the SPF record.

I also did an nslookup on google and get the correct record, but I am still getting the same error:

The following message to <user.test@example.com> was undeliverable.
The reason for the problem:
5.1.0 - Unknown address error 553-'SPF (Sender Policy Framework) domain authentication\nfail. Refer to the Troubleshooting page at\nhttp://www.symanteccloud.com/troubleshooting for more\n information. (#5.7.1)'

This only happens to the 3 domains that we try to send emails to. Emails to every other domain works perfectly.
0
 
Simon Butler (Sembee)ConsultantCommented:
Are all three domains returning the same error? If so, it could be that the change isn't being seen by the Symantec Cloud service (previously known as Message Labs).
You probably don't get the error on other domains because most sites do not use SPF records.

Simon.
0
 
fijiboyAuthor Commented:
Hi Simon.

Yes that is correct. The situation has improved slightly with some emails to the 3 domains going through and some getting this error.

Still trying to work through it using suggestions from this forum and research.

Thanks.
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 7
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now