Unable to send email to certain domains, I get a 553 SPF error message

I currently administer a corporate network. We have a single email server on our corporate network. We receive emails through our ISP. They come through to our exchange 2013 on the inbound connector. Emails going out are set to our ISP through smtp2x.isp.com. My current MX records show the following:
 corporate.com.             86400   IN      MX      5 mail.corporate.
 corporate.com.             86400   IN      MX      10 vmx1.isp.com.

 I am able to send emails to all domains but about 2 weeks ago I started receiving the same error message for emails sent to 3 particular domains:

 The following message to <user.test@corp2.com> was undeliverable.
 The reason for the problem:
 5.1.0 - Unknown address error 553-'SPF (Sender Policy Framework) domain authentication\nfail. Refer to the Troubleshooting page at\nhttp://www.symanteccloud.com/troubleshooting for more\ninformation. (#5.7.1)'

 I suspect that it could relate to my SPF records in my zone file but am not receiving any assistance from my ISP who hosts my zone file. I am trying to implement SPF to address this issue.

 Any assistance would be greatly appreciated.

 Thanks.
fijiboyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

fijiboyAuthor Commented:
Just to add to my previous question. If I do need an SPF record do I need to also add in something to cater for the mail.corporate.com. ?
0
Hello WorldCommented:
I want to confirm whether destination domain enable the sender ID filter, more details about it for your reference:
http://technet.microsoft.com/en-us/library/aa996295(v=exchg.150).aspx

Destination email systems use SPF record to verify that messages originate from authorized outbound email servers. Therefore, we must create properly SPF record in DNS server, please refer to:
http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/
0
dsnegi_25decCommented:
ISP will not help you...try to contact email gateway provider which ever you are using .

http://www.wikihow.com/Configure-an-SPF-Record-for-Your-Domain
0
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

fijiboyAuthor Commented:
@ Allen Wang. DOes the destination domain need to have the sender ID filter enabled for my SPF records to work??
0
Simon Butler (Sembee)ConsultantCommented:
If the ISP who hosts your domain is not prepared to help, then move the domain DNS somewhere else.
They have obviously screwed up the SPF records. Have you used any of the public tools to query the SPF records to ensure that they are correct?

SPF records have to be spot on correct, if they are not then you will have email rejected. If the ISP is changing their network configuration but failing to update the DNS records to reflect that then it is probably better to have no SPF records.

Simon.
0
fijiboyAuthor Commented:
Thanks. My ISP has asked me to suppky tgem with my SPF records for the zone file. Trying to understand and come up with the correct syntax for the records.
0
Simon Butler (Sembee)ConsultantCommented:
If you are routing your email out through the ISP, then they are in the best position to answer that question.
You have to list every server (either by IP address or wildcards) that could be sending email for your domain. Your own Exchange server is not involved if you are using the ISP as a smart host, so you wouldn't list it.

Simon.
0
Jessie Gill, CISSPTechnical ArchitectCommented:
Use this link to create your SPF

http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/

or this

http://www.spfwizard.net/


also some information on how an SPF looks, with examples
http://www.openspf.org/FAQ/Examples
0
fijiboyAuthor Commented:
Hi. Thank you all for your comments.....clearing a lot of doubts on my end. So my email server forward email to my ISP to the following: smtp2x.ISP.com with an ip of 2xx.1xx.6x.2xx, this then relays the emails out. In my SPF record would I only need to refer to my MX records and my ISP connector i.e. smtp2x.ISP.com? So something like this......

v=spf1 mx ip4:2xx.1xx.6x.2xx -all

I currently have: v=spf1 ip4:A.B.C.D ~all

where A.B.C.D refers to the external IP of my mail server.
0
Jessie Gill, CISSPTechnical ArchitectCommented:
So you are using your ISP as a smart host, As long as the header information in your email references smtp2x.isp.com as the sending server then you could do the below.  As for adding an IP, Usually ISP's have multiple IP addresses or at least change them when they want, so if you added an IP in your spf and the ISP changes it then you would end up with an invalid SPF.  If the IP is static then add it also.  Also only use MX if receiving servers are the same as your sending servers, because MX records are used to determine where to send mail to.  

Without IP
 v=spf1 mx a:smtp2x.ISP.com -all

With IP
v=spf1 mx ip4:2xx.1xx.6x.2xx a:smtp2x.ISP.com -all
0
fijiboyAuthor Commented:
Ok. Will try this out. How long after the zone file is updated can I run an email test?
0
fijiboyAuthor Commented:
Hi. My ISP has updated my zone file with my current SPF record:

"v=spf1 mx a:smtp2x.isp.com -all"

I did not create an A record for smtp2x.isp.com but only mentioned it in the SPF record.

I also did an nslookup on google and get the correct record, but I am still getting the same error:

The following message to <user.test@example.com> was undeliverable.
The reason for the problem:
5.1.0 - Unknown address error 553-'SPF (Sender Policy Framework) domain authentication\nfail. Refer to the Troubleshooting page at\nhttp://www.symanteccloud.com/troubleshooting for more\n information. (#5.7.1)'

This only happens to the 3 domains that we try to send emails to. Emails to every other domain works perfectly.
0
Simon Butler (Sembee)ConsultantCommented:
Are all three domains returning the same error? If so, it could be that the change isn't being seen by the Symantec Cloud service (previously known as Message Labs).
You probably don't get the error on other domains because most sites do not use SPF records.

Simon.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
fijiboyAuthor Commented:
Hi Simon.

Yes that is correct. The situation has improved slightly with some emails to the 3 domains going through and some getting this error.

Still trying to work through it using suggestions from this forum and research.

Thanks.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.