Delivery Status Notification even though I have a valid SPF

I was receiving Delivery Status Notifications so added a SPF to the zone file. Even though the new DSNs see the SPF, I'm still receiving them from Google. Any ideas why?

Return-Path: <pjmifrzmbrufr@[my-domain].com>
Received: from psmtp.com (exprod8mx246.postini.com. [64.18.3.146])
        by mx.google.com with SMTPS id tt6si24317106pac.36.2015.05.05.06.06.08
        (version=TLSv1 cipher=RC4-SHA bits=128/128);
        Tue, 05 May 2015 06:06:12 -0700 (PDT)
Received-SPF: fail (google.com: domain of pjmifrzmbrufr@[my-domain].com does not designate 80.92.253.6 as permitted sender) client-ip=80.92.253.6;
Authentication-Results: mx.google.com;
       spf=fail (google.com: domain of pjmifrzmbrufr@[my-domain] does not designate 80.92.253.6 as permitted sender) smtp.mail=pjmifrzmbrufr@[my-domain]
meduziAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mikebernhardtCommented:
This is a case where posting actual information would be helpful. there's no security risk to you as it's all public anyway, and has to be if you want mail to work:
I see 80.92.253.6 resolving as 6.chabry.cz
Your MX records:
Non-authoritative answer:
chabry.cz       MX preference = 100, mail exchanger = ns.megaprint.cz
chabry.cz       MX preference = 10, mail exchanger = host1.chabry.cz

What does the SPF record look like?
0
Hypercat (Deb)Commented:
Apparently your SPF file doesn't have a statement for the IP address that you're sending from: 80.92.253.6. A standard text SPF record would need the following in the statement:  ip4:80.92.253.6.  So, for example, your SPF might read:

v=spf1 mx:my-domain.com ip4:80.92.253.6 -all

This should only be necessary if the sending host that uses that IP address isn't listed in your public DNS zone with an MX record.

Please show the contents of your SPF file if you're not sure about how to add this.
0
meduziAuthor Commented:
Hi. There's confusion. I'll clarify.

I'm hiding my domain and IP, but everything else is here.

This is my SPF:   v=spf1 a ip4:[my Exchange server IP] -all

As you can see, Google sees my SPF and knows that an unauthorised IP is faking my domain. What I do not understand is why Google has sent the DSN to my server at all, when it already knows that the email address is spoofed.  

And below is the DSN

----- Original message -----

X-Received: by 10.70.61.68 with SMTP id n4mr21338129pdr.78.1430831172553;
        Tue, 05 May 2015 06:06:12 -0700 (PDT)
X-Gm-Message-State: ALoCoQl9UAJN3uQj7R4gphRovyTeVe6KjrqYWneCDJkWkFr7GH09zkf9ZGEBthe3XkoO4yy2hU7Ieu0EE27TWxYSfkFsiiLAMmj6looIKFRsO55/aX0ON9ljcnf1kK0UhvJkiCKqVMtU
X-Received: by 10.70.61.68 with SMTP id n4mr21338104pdr.78.1430831172428;
        Tue, 05 May 2015 06:06:12 -0700 (PDT)
Return-Path: <pjmifrzmbrufr@[my domain].com>
Received: from psmtp.com (exprod8mx246.postini.com. [64.18.3.146])
        by mx.google.com with SMTPS id tt6si24317106pac.36.2015.05.05.06.06.08
        (version=TLSv1 cipher=RC4-SHA bits=128/128);
        Tue, 05 May 2015 06:06:12 -0700 (PDT)
Received-SPF: fail (google.com: domain of pjmifrzmbrufr@[my domain].com does not designate 80.92.253.6 as permitted sender) client-ip=80.92.253.6;
Authentication-Results: mx.google.com;
       spf=fail (google.com: domain of pjmifrzmbrufr@[my domain].com does not designate 80.92.253.6 as permitted sender) smtp.mail=pjmifrzmbrufr@[my domain].com
Received: from 6.chabry.cz ([80.92.253.6]) by exprod8mx246.postini.com ([64.18.7.13]) with SMTP;
      Tue, 05 May 2015 13:06:11 GMT
Message-ID: <393355195162-OWLJJESRVFLYSQIKGRWJFS@mjonhzg0.blueprint-technologies.com>
From: "Kim Winter" <Winter_Kim@blueprint-technologies.com>
Subject: Re: hungry for a f&ck friend
To: rowhiten@hrbmc.com
Date: Tue, 05 May 2015 15:06:08 +0100
Mime-Version: 1.0
Content-Type: text/html;
Content-Transfer-Encoding: 7Bit
X-pstn-mail-from: <pjmifrzmbrufr@[my domain].com>
X-pstn-dkim: 0 skipped:not-enabled
X-pstn-nxpr: disp=neutral, envrcpt=rozme@hrbmc.com
X-pstn-nxp: bodyHash=02d2e9920ee4d9f8d8bbc0710a6cc99261799865, headerHash=9597c4dbfa151db21bffc7823904434a24c28305, keyName=4, rcptHash=b4e5ebb6965e09c62fb30b8b76170bccb33b758e, sourceip=80.92.253.6, version=1
X-Gm-Spam: 1
X-Gm-Phishy: 0

----- End of message -----
0
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

mikebernhardtCommented:
Because it's your domain. Just because you know it's spoofed doesn't mean they do. It's common when people create SPF records to forget a legitimate server which may be sending email for their domain but is not in their MX for receiving mail. And, it's good information for you to know what's happening out there.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
meduziAuthor Commented:
That seems fair enough, I guess. The SPF seems to protect the recipient, but not whoever has had their domain spoofed. SPF could do with refining. It just seems to redirect the problem.

Thanks Mike.
0
mikebernhardtCommented:
It protects your reputation because others have an opportunity to see that you are trying to be a responsible "netizen" by at least making it possible to identify whether it's spam or not. That might help prevent putting your domain on a blacklist.
0
meduziAuthor Commented:
Thanks Mike
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Protocols

From novice to tech pro — start learning today.