Solved

Email rejected SPF

Posted on 2015-01-13
17
424 Views
Last Modified: 2015-03-29
Hi.

I run a corporate network that runs exchange 2013. We are having issues with sending emails to a certain domain. Below is the error message I receive:


The following message to <Rosemary.Joe@towerinsurance.com.fj> was undeliverable.
The reason for the problem:
5.3.0 - Other mail system problem 550-'5.7.1 Message rejected (SPF)


I would appreciate any assistance provided.

Thanks,
0
Comment
Question by:fijiboy
  • 6
  • 5
  • 2
  • +3
17 Comments
 
LVL 77

Expert Comment

by:arnold
ID: 40547902
run the following command using the sender's email address

nslookup -q=txt <domain of sender>

There should  be a reference to the authorized source of the emails.  The source of the mailing that is being rejected fell outside that rule and the recipients server is configure for strict enforcement.

without the full info, this is as good as I can do.
0
 
LVL 19

Expert Comment

by:R--R
ID: 40547909
Do you have a PTR or spf record created for your domain?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40547913
If your emails are being rejected because of SPF, it says that you have an SPF (Sender Policy Framework) record that doesn't include the IP Address that you are sending your emails from.

You can run an SPF report here http://mxtoolbox.com/NetworkTools.aspx

Then if you check using http://www.kitterman.com/spf/validate.html (bottom of the screen) you can enter your relevant details, SPF record, IP Address and mail server FQDN and see if the test passes or fails.

If the test fails, you need to amend your SPF record to make sure that you get a pass. Alternatively, remove the SPF record completely as it is better to not have an SPF record than it is to have an invalid one.

Alan
0
 

Author Comment

by:fijiboy
ID: 40547946
I have the following from the nslookup command:


C:\>nslookup -q=txt towerinsurance.com.fj
Server:  hfc-dc.hfcnet.local
Address:  192.168.1.8

abc.com.fj
        primary name server = ns1.secure.net
        responsible mail addr = hostmaster.secure.net
        serial  = 2010051651
        refresh = 86400 (1 day)
        retry   = 7200 (2 hours)
        expire  = 2592000 (30 days)
        default TTL = 86400 (1 day)

C:\>
0
 
LVL 77

Expert Comment

by:arnold
ID: 40547958
Is this on your server from which the rejecting message came?
The error says an email sent to a recipient @towerinsurance.com.fj

This domain seems tp be served by a third party, they may have filtering policies.  Was this notice sent to the recipient that an email addressed to them was rejected?
0
 
LVL 8

Expert Comment

by:Jessie Gill, CISSP
ID: 40547964
192.168.1.8 Isn’t the IP you are sending emails from

Alan is right on this, that your SPF record does not have your sending gateways IP or hostname.

1. Update your SFP record to include the information
0
 

Author Comment

by:fijiboy
ID: 40548002
Hi.

The ip address 192.168.1.8 is our internal DC/DNS server. Do I need to include this in our external SPF record?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40548003
No - you need your Public fixed IP address not your internal IP.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:fijiboy
ID: 40548070
Hi....this would be the IP for our firewall? the outbound connector on our server also has an internal IP.
0
 
LVL 8

Assisted Solution

by:Jessie Gill, CISSP
Jessie Gill, CISSP earned 167 total points
ID: 40548077
It would be you fw if your send connector has that set
0
 

Author Comment

by:fijiboy
ID: 40548101
Hi. I already have this as an mx record.....mail.company.com.fj

My SPF is:

v=spf1 mx a ptr: xxx.xxx.xxx.xxx
0
 
LVL 77

Expert Comment

by:arnold
ID: 40548115
is your MX A and PTR resolve to the same name, you are leaving the level ~All -All to the recipient such that they might be enforcing a strict rule.

you have a public domain...
0
 

Author Comment

by:fijiboy
ID: 40548251
Hi.

Sorry I have a -all at the end of the SPF record. So it appears as this:

IN      TXT     "v=spf1 mx a:smtp2x.abc.com.fj -all"
0
 
LVL 77

Accepted Solution

by:
arnold earned 167 total points
ID: 40548278
In this case, does you MX a reord match the IP returned when you visit http://whatismyip.com from the mail server?
If not, add a PTR revord that includes all your public IPs ptr:x.x.x.y/29
0
 

Author Comment

by:fijiboy
ID: 40548281
Yes this does match.
0
 
LVL 77

Expert Comment

by:arnold
ID: 40548286
If you email from your system to your other email address on an external server.

Look at the received: header to see how your server identifies itself.  It might not match the conditions and your spf is set to strict.

The issue could have been with the remote being unable to resolve .........

Add the PTR to your spf and sed if that makes a difference.  Is the issue with that domain intermittent?

Are you getting services web site from one provider, while email handling through a different one?  Reason for asking, make sure in this case that youhave DNS records only on one or if you have on both, make sure they are configured identically.

I.e. The domain in question shares providers with you and the listing this provider has is not up to date.
0
 
LVL 3

Assisted Solution

by:Bahloul
Bahloul earned 166 total points
ID: 40548304
Hi,

This is done by adding a TXT record in DNS. Spam filters use this informaiton to stop illegitimate emails pretending to originate form that domain.

Do a spf check on http://www.kitterman.com/spf/validate.html site and ensure it isn't giving any errors if yes go here to create your SPF :-

http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/ OR  

http://spfwizard.com/

make sure that your PTR record is correct ans SPF also

use the folllwoing link it will provide you a solution if you are restricted domain :-

www.mxtoolbox.com

and check here fir black list may your Domain listed :-

http://mxtoolbox.com/blacklists.aspx

the website will help you to fix this issues.

check also here it may help you :-


Bahloul.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Find out what you should include to make the best professional email signature for your organization.
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now