Solved

Email rejected SPF

Posted on 2015-01-13
17
495 Views
Last Modified: 2015-03-29
Hi.

I run a corporate network that runs exchange 2013. We are having issues with sending emails to a certain domain. Below is the error message I receive:


The following message to <Rosemary.Joe@towerinsurance.com.fj> was undeliverable.
The reason for the problem:
5.3.0 - Other mail system problem 550-'5.7.1 Message rejected (SPF)


I would appreciate any assistance provided.

Thanks,
0
Comment
Question by:fijiboy
  • 6
  • 5
  • 2
  • +3
17 Comments
 
LVL 77

Expert Comment

by:arnold
ID: 40547902
run the following command using the sender's email address

nslookup -q=txt <domain of sender>

There should  be a reference to the authorized source of the emails.  The source of the mailing that is being rejected fell outside that rule and the recipients server is configure for strict enforcement.

without the full info, this is as good as I can do.
0
 
LVL 19

Expert Comment

by:R--R
ID: 40547909
Do you have a PTR or spf record created for your domain?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40547913
If your emails are being rejected because of SPF, it says that you have an SPF (Sender Policy Framework) record that doesn't include the IP Address that you are sending your emails from.

You can run an SPF report here http://mxtoolbox.com/NetworkTools.aspx

Then if you check using http://www.kitterman.com/spf/validate.html (bottom of the screen) you can enter your relevant details, SPF record, IP Address and mail server FQDN and see if the test passes or fails.

If the test fails, you need to amend your SPF record to make sure that you get a pass. Alternatively, remove the SPF record completely as it is better to not have an SPF record than it is to have an invalid one.

Alan
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 

Author Comment

by:fijiboy
ID: 40547946
I have the following from the nslookup command:


C:\>nslookup -q=txt towerinsurance.com.fj
Server:  hfc-dc.hfcnet.local
Address:  192.168.1.8

abc.com.fj
        primary name server = ns1.secure.net
        responsible mail addr = hostmaster.secure.net
        serial  = 2010051651
        refresh = 86400 (1 day)
        retry   = 7200 (2 hours)
        expire  = 2592000 (30 days)
        default TTL = 86400 (1 day)

C:\>
0
 
LVL 77

Expert Comment

by:arnold
ID: 40547958
Is this on your server from which the rejecting message came?
The error says an email sent to a recipient @towerinsurance.com.fj

This domain seems tp be served by a third party, they may have filtering policies.  Was this notice sent to the recipient that an email addressed to them was rejected?
0
 
LVL 8

Expert Comment

by:Jessie Gill, CISSP
ID: 40547964
192.168.1.8 Isn’t the IP you are sending emails from

Alan is right on this, that your SPF record does not have your sending gateways IP or hostname.

1. Update your SFP record to include the information
0
 

Author Comment

by:fijiboy
ID: 40548002
Hi.

The ip address 192.168.1.8 is our internal DC/DNS server. Do I need to include this in our external SPF record?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40548003
No - you need your Public fixed IP address not your internal IP.
0
 

Author Comment

by:fijiboy
ID: 40548070
Hi....this would be the IP for our firewall? the outbound connector on our server also has an internal IP.
0
 
LVL 8

Assisted Solution

by:Jessie Gill, CISSP
Jessie Gill, CISSP earned 167 total points
ID: 40548077
It would be you fw if your send connector has that set
0
 

Author Comment

by:fijiboy
ID: 40548101
Hi. I already have this as an mx record.....mail.company.com.fj

My SPF is:

v=spf1 mx a ptr: xxx.xxx.xxx.xxx
0
 
LVL 77

Expert Comment

by:arnold
ID: 40548115
is your MX A and PTR resolve to the same name, you are leaving the level ~All -All to the recipient such that they might be enforcing a strict rule.

you have a public domain...
0
 

Author Comment

by:fijiboy
ID: 40548251
Hi.

Sorry I have a -all at the end of the SPF record. So it appears as this:

IN      TXT     "v=spf1 mx a:smtp2x.abc.com.fj -all"
0
 
LVL 77

Accepted Solution

by:
arnold earned 167 total points
ID: 40548278
In this case, does you MX a reord match the IP returned when you visit http://whatismyip.com from the mail server?
If not, add a PTR revord that includes all your public IPs ptr:x.x.x.y/29
0
 

Author Comment

by:fijiboy
ID: 40548281
Yes this does match.
0
 
LVL 77

Expert Comment

by:arnold
ID: 40548286
If you email from your system to your other email address on an external server.

Look at the received: header to see how your server identifies itself.  It might not match the conditions and your spf is set to strict.

The issue could have been with the remote being unable to resolve .........

Add the PTR to your spf and sed if that makes a difference.  Is the issue with that domain intermittent?

Are you getting services web site from one provider, while email handling through a different one?  Reason for asking, make sure in this case that youhave DNS records only on one or if you have on both, make sure they are configured identically.

I.e. The domain in question shares providers with you and the listing this provider has is not up to date.
0
 
LVL 3

Assisted Solution

by:Bahloul
Bahloul earned 166 total points
ID: 40548304
Hi,

This is done by adding a TXT record in DNS. Spam filters use this informaiton to stop illegitimate emails pretending to originate form that domain.

Do a spf check on http://www.kitterman.com/spf/validate.html site and ensure it isn't giving any errors if yes go here to create your SPF :-

http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/ OR  

http://spfwizard.com/

make sure that your PTR record is correct ans SPF also

use the folllwoing link it will provide you a solution if you are restricted domain :-

www.mxtoolbox.com

and check here fir black list may your Domain listed :-

http://mxtoolbox.com/blacklists.aspx

the website will help you to fix this issues.

check also here it may help you :-


Bahloul.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question