Email rejected SPF


I run a corporate network that runs exchange 2013. We are having issues with sending emails to a certain domain. Below is the error message I receive:

The following message to <> was undeliverable.
The reason for the problem:
5.3.0 - Other mail system problem 550-'5.7.1 Message rejected (SPF)

I would appreciate any assistance provided.

Who is Participating?
arnoldConnect With a Mentor Commented:
In this case, does you MX a reord match the IP returned when you visit from the mail server?
If not, add a PTR revord that includes all your public IPs ptr:x.x.x.y/29
run the following command using the sender's email address

nslookup -q=txt <domain of sender>

There should  be a reference to the authorized source of the emails.  The source of the mailing that is being rejected fell outside that rule and the recipients server is configure for strict enforcement.

without the full info, this is as good as I can do.
Do you have a PTR or spf record created for your domain?
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Alan HardistyCo-OwnerCommented:
If your emails are being rejected because of SPF, it says that you have an SPF (Sender Policy Framework) record that doesn't include the IP Address that you are sending your emails from.

You can run an SPF report here

Then if you check using (bottom of the screen) you can enter your relevant details, SPF record, IP Address and mail server FQDN and see if the test passes or fails.

If the test fails, you need to amend your SPF record to make sure that you get a pass. Alternatively, remove the SPF record completely as it is better to not have an SPF record than it is to have an invalid one.

fijiboyAuthor Commented:
I have the following from the nslookup command:

C:\>nslookup -q=txt
Server:  hfc-dc.hfcnet.local
        primary name server =
        responsible mail addr =
        serial  = 2010051651
        refresh = 86400 (1 day)
        retry   = 7200 (2 hours)
        expire  = 2592000 (30 days)
        default TTL = 86400 (1 day)

Is this on your server from which the rejecting message came?
The error says an email sent to a recipient

This domain seems tp be served by a third party, they may have filtering policies.  Was this notice sent to the recipient that an email addressed to them was rejected?
Jessie Gill, CISSPTechnical ArchitectCommented: Isn’t the IP you are sending emails from

Alan is right on this, that your SPF record does not have your sending gateways IP or hostname.

1. Update your SFP record to include the information
fijiboyAuthor Commented:

The ip address is our internal DC/DNS server. Do I need to include this in our external SPF record?
Alan HardistyCo-OwnerCommented:
No - you need your Public fixed IP address not your internal IP.
fijiboyAuthor Commented:
Hi....this would be the IP for our firewall? the outbound connector on our server also has an internal IP.
Jessie Gill, CISSPConnect With a Mentor Technical ArchitectCommented:
It would be you fw if your send connector has that set
fijiboyAuthor Commented:
Hi. I already have this as an mx

My SPF is:

v=spf1 mx a ptr:
is your MX A and PTR resolve to the same name, you are leaving the level ~All -All to the recipient such that they might be enforcing a strict rule.

you have a public domain...
fijiboyAuthor Commented:

Sorry I have a -all at the end of the SPF record. So it appears as this:

IN      TXT     "v=spf1 mx -all"
fijiboyAuthor Commented:
Yes this does match.
If you email from your system to your other email address on an external server.

Look at the received: header to see how your server identifies itself.  It might not match the conditions and your spf is set to strict.

The issue could have been with the remote being unable to resolve .........

Add the PTR to your spf and sed if that makes a difference.  Is the issue with that domain intermittent?

Are you getting services web site from one provider, while email handling through a different one?  Reason for asking, make sure in this case that youhave DNS records only on one or if you have on both, make sure they are configured identically.

I.e. The domain in question shares providers with you and the listing this provider has is not up to date.
BahloulConnect With a Mentor Commented:

This is done by adding a TXT record in DNS. Spam filters use this informaiton to stop illegitimate emails pretending to originate form that domain.

Do a spf check on site and ensure it isn't giving any errors if yes go here to create your SPF :- OR

make sure that your PTR record is correct ans SPF also

use the folllwoing link it will provide you a solution if you are restricted domain :-

and check here fir black list may your Domain listed :-

the website will help you to fix this issues.

check also here it may help you :-

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.