spf=permerror

I sent an email from my domain to google and i found the error when i go to original message

spf=permerror (google.com: permanent error in processing during lookup of btv1==6117437fd2d==rsharma@iss.school.fj: mail.international.school.fj not found) smtp.mailfrom=btv1==6117437fd2d==rsharma@iss.school.fj

spf record = v=spf1 a mx include:_spf.google.com include:mail.international.school.fj include:mailrelay.unwired.com.fj ~all

spf=permerror (google.com: permanent error in processing during lookup of btv1==611a1cd8c90==rsharma@international.school.fj: mail.iss.school.fj not found) smtp.mailfrom=btv1==611a1cd8c90==rsharma@international.school.fj

spf record =v=spf1 a mx include:mail.iss.school.fj include:mailrelay.unwired.com.fj ~all



requesting assistance and how i can solve this
Member_2_6474242Senior Systems AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AlanConsultantCommented:
Hi,

It appears that you are trying to send from:

iss.school.fj

Open in new window


The SPF record for that domain is:

v=spf1 a mx include:_spf.google.com include:mail.international.school.fj include:mailrelay.unwired.com.fj ~all

Open in new window


I am guessing that the source IP of your email does not match the resolution of any of the items in your SPF record, and hence you are getting the error you pasted above.

You need to include the IP address (or hostname that resolves to that IP address) that your email is coming from in your SPF record.

Thanks,

Alan.
0
arnoldCommented:
you are including records in the SPF that do not exist
mail.international.school.fj not found) smtp.mailfrom=btv1==6117437fd2d==rsharma@iss.school.fj
mail.iss.school.fj not found) smtp.mailfrom=btv1==611a1cd8c90==rsharma@international.school.fj

please have a look at the openspf.org and the description on how to configure the SPF record.

www.mxtoolbox.com has under more a tool to validate the SPF record.
the open SPF has the test tool that you can put in your WAN IP from where you are sending the email, and it will tell you whether this IP passes the PFS test as an originator of a message on the domain of the sender.

include:mail.internation.school.fj does not exist:
nslookup -q=txt mail.international.school.fj

international.school.fj
        primary name server = ns1.unwired.com.fj
        responsible mail addr = dns.netops.unwired.com.fj
        serial  = 2013111212
        refresh = 28800 (8 hours)
        retry   = 7200 (2 hours)
        expire  = 604800 (7 days)
        default TTL = 86400 (1 day)

nslookup -q=txt mailrelay.unwired.com.fj
unwired.com.fj
        primary name server = ns1.unwired.com.fj
        responsible mail addr = FijiHUB_IT_Infrastructure_Services.digicelgroup.com
        serial  = 2007041945
        refresh = 43200 (12 hours)
        retry   = 900 (15 mins)
        expire  = 1209600 (14 days)
        default TTL = 900 (15 mins)

what it needs to see is the record
nslookup -q=txt _spf.google.com

Non-authoritative answer:
_spf.google.com text =

        "v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all"
0
Member_2_6474242Senior Systems AdministratorAuthor Commented:
Hi

Please note i do have my mail server(mail.iss.local) but i understand that since that is local it doesn't matter. we are also using smart host(10.0.1.32) but that is internal as well. Do i need to include internal IP's? As far as i know all my external public domain are already defined. Do i need to include public IP's instead of domain names. Doesn't the A record get the current mail server?
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

AlanConsultantCommented:
Hi,

You don't need to include any internal IPs, especially any that are non-routable such as 10.X.X.X.

You do need to include whatever IP(s) your email exits onto the internet from - your public exit point.

That needs to be the actual IP and / or the hostname(s) that resolve to those IP(s).


Alan.
0
arnoldCommented:
Add ip:x.y.z.a/CIDR
To identify the range of your IPs provided by the ISp.
The info you provided does not include the header/received where it is possible to see the IP from which Google saw the connection....
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Member_2_6474242Senior Systems AdministratorAuthor Commented:
Thanks everyone

Now i am getting the following. If i test an email from my domain to gmail and yahoo i get the following in headers

Gmail test
spf=neutral (google.com: 202.151.16.19 is neither permitted nor denied by best guess record for domain of btv1==61619ee9795==rsharma@iss.school.fj) smtp.mailfrom=btv1==61619ee9795==rsharma@iss.school.fj
Return-Path: <btv1==61619ee9795==rsharma@iss.school.fj>
Received: from relay.unwired.com.fj (relay.unwired.com.fj. [202.151.16.19])
        by mx.google.com with ESMTP id v6si8715624pgc.526.2018.03.18.17.08.03
        for <vampirerps2007@gmail.com>;
        Sun, 18 Mar 2018 17:08:04 -0700 (PDT)
Received-SPF: neutral (google.com: 202.151.16.19 is neither permitted nor denied by best guess record for domain of btv1==61619ee9795==rsharma@iss.school.fj) client-ip=202.151.16.19;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@iss.school.fj header.s=s1024 header.b=2oPFVUuP;
       spf=neutral (google.com: 202.151.16.19 is neither permitted nor denied by best guess record for domain of btv1==61619ee9795==rsharma@iss.school.fj) smtp.mailfrom=btv1==61619ee9795==rsharma@iss.school.fj
Received: from - (relay [127.0.0.1]) by relay.unwired.com.fj (Postfix) with ESMTP id D24E712A970 for <vampirerps2007@gmail.com>; Mon, 19 Mar 2018 12:08:02 +1200 (FJT)

Yahoo test
Received-SPF: none (domain of iss.school.fj does not designate permitted sender hosts)

Requesting assistance
0
arnoldCommented:
Using mxtoolbox.com more tools, SPF lookup for iss.school.fj

Reports no record.

You may intermittent respinse if possible that your NS records reflect different information.

Google reports the source of message as having the IP 202.151.16.19
0
Member_2_6474242Senior Systems AdministratorAuthor Commented:
The current record at isp is

a mx include:_spf.google.com a:mail.international.school.fj a:mailrelay.unwired.com.fj include:spf.ess.barracudanetworks.com ~all
0
arnoldCommented:
Not sure where you are getting that info,
nslookup -q=txt iss.school.fj
Returns no records, SPF is based on the senders domain username@iss.school.fj.
0
AlanConsultantCommented:
Hi,

Not sure if there are some DNS providers out of date or misconfigured, but I am seeing this from Central Ops:

ss.school.fj	IN	TXT	a mx include:_spf.google.com a:mail.international.school.fj a:mailrelay.unwired.com.fj include:spf.ess.barracudanetworks.com ~all

Open in new window

Source (20180319 - 1749 NZT):
https://centralops.net/co/domaindossier.aspx?addr=iss.school.fj&dom_dns=true

If your emails are entering the internet from IP = 202.151.16.19 perhaps try adding that specific IP to your SPF record, and see if that fixes it at least initially.


Alan.
0
Member_2_6474242Senior Systems AdministratorAuthor Commented:
Hi All

Thanks for all your input

This was an issue with our ISP and they have solved it. They have changed the dns settings at their end

 I have also modified my spf record
0
Member_2_6474242Senior Systems AdministratorAuthor Commented:
thanks
0
AlanConsultantCommented:
Isn't that what I said in my first post:

You need to include the IP address (or hostname that resolves to that IP address) that your email is coming from in your SPF record.

https://www.experts-exchange.com/questions/29089154/spf-permerror.html#a42500007
0
arnoldCommented:
Agree, Alan did mention/suggest the change.

The SPF record was not optimally, correctly setup.
include should commonly use google.com even though it references _spf.google.com the difference, if they transition to something else, the _spf.google.com is discretionary on their part, they could have chosen another lable/record.
using google.com will follow whatever decisions/changes they may make in the future.
openspf.org has the writeup on the standard on when one would use
A
mx
include
PTR
IP
ipv6
etc.
You can request attention/report your question to have it reopened to award points recognizing other's comments/contributions.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.