?
Solved

Email rejected SPF

Posted on 2015-01-13
17
Medium Priority
?
693 Views
Last Modified: 2015-03-29
Hi.

I run a corporate network that runs exchange 2013. We are having issues with sending emails to a certain domain. Below is the error message I receive:


The following message to <Rosemary.Joe@towerinsurance.com.fj> was undeliverable.
The reason for the problem:
5.3.0 - Other mail system problem 550-'5.7.1 Message rejected (SPF)


I would appreciate any assistance provided.

Thanks,
0
Comment
Question by:fijiboy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 2
  • +3
17 Comments
 
LVL 79

Expert Comment

by:arnold
ID: 40547902
run the following command using the sender's email address

nslookup -q=txt <domain of sender>

There should  be a reference to the authorized source of the emails.  The source of the mailing that is being rejected fell outside that rule and the recipients server is configure for strict enforcement.

without the full info, this is as good as I can do.
0
 
LVL 19

Expert Comment

by:R--R
ID: 40547909
Do you have a PTR or spf record created for your domain?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40547913
If your emails are being rejected because of SPF, it says that you have an SPF (Sender Policy Framework) record that doesn't include the IP Address that you are sending your emails from.

You can run an SPF report here http://mxtoolbox.com/NetworkTools.aspx

Then if you check using http://www.kitterman.com/spf/validate.html (bottom of the screen) you can enter your relevant details, SPF record, IP Address and mail server FQDN and see if the test passes or fails.

If the test fails, you need to amend your SPF record to make sure that you get a pass. Alternatively, remove the SPF record completely as it is better to not have an SPF record than it is to have an invalid one.

Alan
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 

Author Comment

by:fijiboy
ID: 40547946
I have the following from the nslookup command:


C:\>nslookup -q=txt towerinsurance.com.fj
Server:  hfc-dc.hfcnet.local
Address:  192.168.1.8

abc.com.fj
        primary name server = ns1.secure.net
        responsible mail addr = hostmaster.secure.net
        serial  = 2010051651
        refresh = 86400 (1 day)
        retry   = 7200 (2 hours)
        expire  = 2592000 (30 days)
        default TTL = 86400 (1 day)

C:\>
0
 
LVL 79

Expert Comment

by:arnold
ID: 40547958
Is this on your server from which the rejecting message came?
The error says an email sent to a recipient @towerinsurance.com.fj

This domain seems tp be served by a third party, they may have filtering policies.  Was this notice sent to the recipient that an email addressed to them was rejected?
0
 
LVL 8

Expert Comment

by:Jessie Gill, CISSP
ID: 40547964
192.168.1.8 Isn’t the IP you are sending emails from

Alan is right on this, that your SPF record does not have your sending gateways IP or hostname.

1. Update your SFP record to include the information
0
 

Author Comment

by:fijiboy
ID: 40548002
Hi.

The ip address 192.168.1.8 is our internal DC/DNS server. Do I need to include this in our external SPF record?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40548003
No - you need your Public fixed IP address not your internal IP.
0
 

Author Comment

by:fijiboy
ID: 40548070
Hi....this would be the IP for our firewall? the outbound connector on our server also has an internal IP.
0
 
LVL 8

Assisted Solution

by:Jessie Gill, CISSP
Jessie Gill, CISSP earned 501 total points
ID: 40548077
It would be you fw if your send connector has that set
0
 

Author Comment

by:fijiboy
ID: 40548101
Hi. I already have this as an mx record.....mail.company.com.fj

My SPF is:

v=spf1 mx a ptr: xxx.xxx.xxx.xxx
0
 
LVL 79

Expert Comment

by:arnold
ID: 40548115
is your MX A and PTR resolve to the same name, you are leaving the level ~All -All to the recipient such that they might be enforcing a strict rule.

you have a public domain...
0
 

Author Comment

by:fijiboy
ID: 40548251
Hi.

Sorry I have a -all at the end of the SPF record. So it appears as this:

IN      TXT     "v=spf1 mx a:smtp2x.abc.com.fj -all"
0
 
LVL 79

Accepted Solution

by:
arnold earned 501 total points
ID: 40548278
In this case, does you MX a reord match the IP returned when you visit http://whatismyip.com from the mail server?
If not, add a PTR revord that includes all your public IPs ptr:x.x.x.y/29
0
 

Author Comment

by:fijiboy
ID: 40548281
Yes this does match.
0
 
LVL 79

Expert Comment

by:arnold
ID: 40548286
If you email from your system to your other email address on an external server.

Look at the received: header to see how your server identifies itself.  It might not match the conditions and your spf is set to strict.

The issue could have been with the remote being unable to resolve .........

Add the PTR to your spf and sed if that makes a difference.  Is the issue with that domain intermittent?

Are you getting services web site from one provider, while email handling through a different one?  Reason for asking, make sure in this case that youhave DNS records only on one or if you have on both, make sure they are configured identically.

I.e. The domain in question shares providers with you and the listing this provider has is not up to date.
0
 
LVL 3

Assisted Solution

by:Bahloul
Bahloul earned 498 total points
ID: 40548304
Hi,

This is done by adding a TXT record in DNS. Spam filters use this informaiton to stop illegitimate emails pretending to originate form that domain.

Do a spf check on http://www.kitterman.com/spf/validate.html site and ensure it isn't giving any errors if yes go here to create your SPF :-

http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/ OR  

http://spfwizard.com/

make sure that your PTR record is correct ans SPF also

use the folllwoing link it will provide you a solution if you are restricted domain :-

www.mxtoolbox.com

and check here fir black list may your Domain listed :-

http://mxtoolbox.com/blacklists.aspx

the website will help you to fix this issues.

check also here it may help you :-


Bahloul.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you an Exchange administrator employed with an organization? And, have you encountered a corrupt Exchange database due to which you are not able to open its EDB file. This article will explain all the steps to repair corrupt Exchange database.
By default Outlook 2016 displays only one time zone in the Calendar. The following article explains how to display two time zones in one calendar view.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question