Solved

Email rejected SPF

Posted on 2015-01-13
17
381 Views
Last Modified: 2015-03-29
Hi.

I run a corporate network that runs exchange 2013. We are having issues with sending emails to a certain domain. Below is the error message I receive:


The following message to <Rosemary.Joe@towerinsurance.com.fj> was undeliverable.
The reason for the problem:
5.3.0 - Other mail system problem 550-'5.7.1 Message rejected (SPF)


I would appreciate any assistance provided.

Thanks,
0
Comment
Question by:fijiboy
  • 6
  • 5
  • 2
  • +3
17 Comments
 
LVL 76

Expert Comment

by:arnold
Comment Utility
run the following command using the sender's email address

nslookup -q=txt <domain of sender>

There should  be a reference to the authorized source of the emails.  The source of the mailing that is being rejected fell outside that rule and the recipients server is configure for strict enforcement.

without the full info, this is as good as I can do.
0
 
LVL 19

Expert Comment

by:R--R
Comment Utility
Do you have a PTR or spf record created for your domain?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
If your emails are being rejected because of SPF, it says that you have an SPF (Sender Policy Framework) record that doesn't include the IP Address that you are sending your emails from.

You can run an SPF report here http://mxtoolbox.com/NetworkTools.aspx

Then if you check using http://www.kitterman.com/spf/validate.html (bottom of the screen) you can enter your relevant details, SPF record, IP Address and mail server FQDN and see if the test passes or fails.

If the test fails, you need to amend your SPF record to make sure that you get a pass. Alternatively, remove the SPF record completely as it is better to not have an SPF record than it is to have an invalid one.

Alan
0
 

Author Comment

by:fijiboy
Comment Utility
I have the following from the nslookup command:


C:\>nslookup -q=txt towerinsurance.com.fj
Server:  hfc-dc.hfcnet.local
Address:  192.168.1.8

abc.com.fj
        primary name server = ns1.secure.net
        responsible mail addr = hostmaster.secure.net
        serial  = 2010051651
        refresh = 86400 (1 day)
        retry   = 7200 (2 hours)
        expire  = 2592000 (30 days)
        default TTL = 86400 (1 day)

C:\>
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Is this on your server from which the rejecting message came?
The error says an email sent to a recipient @towerinsurance.com.fj

This domain seems tp be served by a third party, they may have filtering policies.  Was this notice sent to the recipient that an email addressed to them was rejected?
0
 
LVL 8

Expert Comment

by:Jessie Gill, CISSP
Comment Utility
192.168.1.8 Isn’t the IP you are sending emails from

Alan is right on this, that your SPF record does not have your sending gateways IP or hostname.

1. Update your SFP record to include the information
0
 

Author Comment

by:fijiboy
Comment Utility
Hi.

The ip address 192.168.1.8 is our internal DC/DNS server. Do I need to include this in our external SPF record?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
No - you need your Public fixed IP address not your internal IP.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:fijiboy
Comment Utility
Hi....this would be the IP for our firewall? the outbound connector on our server also has an internal IP.
0
 
LVL 8

Assisted Solution

by:Jessie Gill, CISSP
Jessie Gill, CISSP earned 167 total points
Comment Utility
It would be you fw if your send connector has that set
0
 

Author Comment

by:fijiboy
Comment Utility
Hi. I already have this as an mx record.....mail.company.com.fj

My SPF is:

v=spf1 mx a ptr: xxx.xxx.xxx.xxx
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
is your MX A and PTR resolve to the same name, you are leaving the level ~All -All to the recipient such that they might be enforcing a strict rule.

you have a public domain...
0
 

Author Comment

by:fijiboy
Comment Utility
Hi.

Sorry I have a -all at the end of the SPF record. So it appears as this:

IN      TXT     "v=spf1 mx a:smtp2x.abc.com.fj -all"
0
 
LVL 76

Accepted Solution

by:
arnold earned 167 total points
Comment Utility
In this case, does you MX a reord match the IP returned when you visit http://whatismyip.com from the mail server?
If not, add a PTR revord that includes all your public IPs ptr:x.x.x.y/29
0
 

Author Comment

by:fijiboy
Comment Utility
Yes this does match.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
If you email from your system to your other email address on an external server.

Look at the received: header to see how your server identifies itself.  It might not match the conditions and your spf is set to strict.

The issue could have been with the remote being unable to resolve .........

Add the PTR to your spf and sed if that makes a difference.  Is the issue with that domain intermittent?

Are you getting services web site from one provider, while email handling through a different one?  Reason for asking, make sure in this case that youhave DNS records only on one or if you have on both, make sure they are configured identically.

I.e. The domain in question shares providers with you and the listing this provider has is not up to date.
0
 
LVL 3

Assisted Solution

by:Bahloul
Bahloul earned 166 total points
Comment Utility
Hi,

This is done by adding a TXT record in DNS. Spam filters use this informaiton to stop illegitimate emails pretending to originate form that domain.

Do a spf check on http://www.kitterman.com/spf/validate.html site and ensure it isn't giving any errors if yes go here to create your SPF :-

http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/ OR  

http://spfwizard.com/

make sure that your PTR record is correct ans SPF also

use the folllwoing link it will provide you a solution if you are restricted domain :-

www.mxtoolbox.com

and check here fir black list may your Domain listed :-

http://mxtoolbox.com/blacklists.aspx

the website will help you to fix this issues.

check also here it may help you :-


Bahloul.
0

Featured Post

Shouldn't all users have the same email signature?

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now