cdavis82
asked on
Office 365 SPF Record Problem
Using Office 365 to send to recipients from our domain. It appears one recipient has changed their domain to reject non matching SPF records. Received this NDR:
recipientmailserver.com rejected your message to the following email addresses:
Recipient (recipient@recipientdomain 2.com)
Your message wasn't delivered because the recipient's email provider rejected it.
recipientmailserver.com gave this error:
Invalid SPF Record; Contact your local email administrator to resolve the issue.
Diagnostic information for administrators:
Generating server: DM5PR1201MB0090.namprd12.p rod.outloo k.com
recipient@recipientdomain2 .com
recipientmailserver.com
Remote Server returned '550 5.7.0 Invalid SPF Record; Contact your local email administrator to resolve the issue.'
Original message headers:
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=LE2wpgPFaGJtKHo+NlrfwuJM VkrHFOuOHS E657xyDbKt LEjjSsBxXU 8ASmH4+lvX Z6NziGOebh yzc01S5+2h 8qc2pJSddA xDoRBpDjLb p1lJdGyhVH jxasqcZJsl VBSRG12brk ZwbCXcAybY 77PBJT7GyG 5nYsLoOGYN uSD0SGB7T5 OUUfm7yBvK qiGYSHHxzM eFo1zcaVnw n960URbFrC lpGcz1nwmh tjAFXwZsA5 LSO+w1Pij8 zIXEaDFIQM eE8lELZ62L +KPnU3Hbk3 JT83B+uFTH ijTwKY5T87 3DiIkgOYOE /F0lGma9MT DQV30xXp/M L6qGwLpn/h NUPf3VeA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Messag e-ID:Conte nt-Type:MI ME-Version :X-MS-Exch ange-Sende rADCheck;
bh=snYS1hA+T5IMnXx86tPEkzJ IEJUcNCynI O9yzOQNc0M =;
b=WQgVwBLmy/LqmxwLBR2J4sJu 4pc0xocQxC +mnK/7JUAC /wsA9OMtB8 TxjwklzsM1 28rfzmQPvS Vh3IIlqMHY M6UYdV+Ugj 2AybVsAzVa mYmWR0gUf6 QGUeRoQvEl eni4kOvzyp rV6fzBpQaW Yv8m0rJ+d7 ou75eSJ5fO q5sbOvWiTT vPCTox9MPk hqP0/UMGIt 3kFSWefhPl uh7X0xRg76 5UwH4bt4o2 3GXAPnO+sd sqq3VEvaIa EzqHUrTE5V hqtFdJJ838 0mR5uF8XVR tHpzrFXLx2 0VRsrTigyT q34bVEVMqc OTSzj31Tuv SQFrNmha25 myJiBKwSs7 fQE7v3DQ==
ARC-Authentication-Results : i=1; mx.microsoft.com 1; spf=pass
smtp.mailfrom=medteleco.co m; dmarc=pass action=none
header.from=medteleco.com; dkim=pass header.d=medteleco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=medtele.onmicrosoft.com; s=selector2-medtele-onmicr osoft-com;
h=From:Date:Subject:Messag e-ID:Conte nt-Type:MI ME-Version :X-MS-Exch ange-Sende rADCheck;
bh=snYS1hA+T5IMnXx86tPEkzJ IEJUcNCynI O9yzOQNc0M =;
b=oCU+diINIoSwYcDX0ebJC1JM u2DyKziStm r3KmMOQKPO QKb3KsnnKa nGoRb3WTrB aqSCuvn8kq b8VBuVSBjx XFcBtAsWJv OiIfYlgYK7 bZLpjpPQfb nRolkQJOBI VnGHyiCzgx zwa2l42Qi0 NZa+QkONLf 06SIBS78xf Ci6u69U=
Received: from DM5PR1201MB0091.namprd12.p rod.outloo k.com (10.174.107.151) by
DM5PR1201MB0090.namprd12.p rod.outloo k.com (10.174.105.140) with Microsoft
SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_ AES_256_GC M_SHA384) id
15.20.2347.16; Wed, 16 Oct 2019 17:46:46 +0000
Received: from DM5PR1201MB0091.namprd12.p rod.outloo k.com
([fe80::d868:482d:da9e:122 b]) by DM5PR1201MB0091.namprd12.p rod.outloo k.com
([fe80::d868:482d:da9e:122 b%10]) with mapi id 15.20.2347.023; Wed, 16 Oct
2019 17:46:46 +0000
From: Sender <sender@medteleco.com>
To: Recipient <recipient@recipientdomain 2.com>
Subject: RE: Call Logs
Thread-Topic: Call Logs
Thread-Index: AdWDqTN+xFr9Or2LQ9u9XSK/oT hwdQAl0DQw AABxRWAAAd tcIA==
Date: Wed, 16 Oct 2019 17:46:45 +0000
Message-ID: <DM5PR1201MB009108E8A3D38A 31D7510D63 B8920@DM5P R1201MB009 1.namprd12 .prod.outl ook.com>
References: <MN2PR02MB6800053D80E98F2C F00C2C0184 930@MN2PR0 2MB6800.na mprd02.pro d.outlook. com>
<DM5PR1201MB0091174C01079D 035F517EB6 B8920@DM5P R1201MB009 1.namprd12 .prod.outl ook.com>
<CH2PR02MB67894FC54C6D2B8F A90F2C1384 920@CH2PR0 2MB6789.na mprd02.pro d.outlook. com>
In-Reply-To: <CH2PR02MB67894FC54C6D2B8F A90F2C1384 920@CH2PR0 2MB6789.na mprd02.pro d.outlook. com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is )
smtp.mailfrom=sender@medte leco.com;
x-originating-ip: [75.145.112.133]
x-ms-publictraffictype: Email
x-ms-office365-filtering-c orrelation -id: 39256351-ac5e-487e-1d76-08 d75260d03d
x-ms-traffictypediagnostic : DM5PR1201MB0090:
x-microsoft-antispam-prvs: <DM5PR1201MB00909EFB1194F4 519172C705 B8920@DM5P R1201MB009 0.namprd12 .prod.outl ook.com>
x-ms-oob-tlc-oobclassifier s: OLM:8273;
x-forefront-prvs: 0192E812EC
x-forefront-antispam-repor t: SFV:NSPM;SFS:(10009020)(36 6004)(1360 03)(346002 )(376002)( 3984040000 4)(396003) (43234003) (189003)(1 99004)(508 600001)(63 06002)(486 006)(56603 00002)(102 836004)(29 06002)(790 700001)(38 46002)(643 6002)(6606 6001)(5253 6014)(4460 03)(336560 02)(550160 02)(548960 02)(476003 )(25786009 )(11346002 )(9686003) (236005)(6 116002)(26 005)(22985 3002)(6246 003)(71190 400001)(69 16009)(256 004)(31600 2)(7617601 1)(7431600 2)(5024004 )(186003)( 14444005)( 7120040000 1)(6475600 8)(1445400 4)(6644600 8)(6694600 7)(6655600 8)(6647600 7)(5354601 1)(7736002 )(6506007) (81156014) (86362001) (8676002)( 76116006)( 81166006)( 7696005)(8 936002)(99 286004);DI R:OUT;SFP: 1101;SCL:1 ;SRVR:DM5P R1201MB009 0;H:DM5PR1 201MB0091. namprd12.p rod.outloo k.com;FPR: ;SPF:None; LANG:en;PT R:InfoNoRe cords;MX:1 ;A:1;
received-spf: None (protection.outlook.com: medteleco.com does not designate
permitted sender hosts)
x-ms-exchange-senderadchec k: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-messa ge-info: 2aIpjsmGp3ZZgXkf3B4PeoWC1L ECunGIvm8o LBdD3xCTj6 9FHFTcZPxg jrrxrBgXEU 2jKFJUiMCa 44jSdjE9Jo VbG/R0mawI lSY9MmHI4u zZ0Dd0jYyM ihGCp969QL s0fw2xE5ds cbrIB17TIY GpP/i6CNhZ mio1yVoE1l pkFTkiAkE9 zNxMrYFUof jNmpRJeT3m 728vH4Ou7K r0pRk5ND+T 7oley6Ff6Z f8j5PFTsAQ 3QCUn0t/Ff vEf/+JACt/ MXN3lDvYYp 3gsEz1WPws swpR33raph USXyrFMcsV rp2SOR2uXk VuRPJ8S60a U3UUNEQQUn YjOCaR8fdH xuUUMy4650 On1XRMWwJm q1zwGoj0fs TuPpIoG3GA 6tVTC1Saqs u8Ldp0wpSU ALqTD3mrG1 TwF2M0WcBu gDQCp7YTBO zfVz/WsHU9 kPbcquqU3O qBdMmY8pFT 588gud4DQS MsRQ==
x-ms-exchange-transport-fo rked: True
Content-Type: multipart/alternative;
boundary="_000_DM5PR1201MB 009108E8A3 D38A31D751 0D63B8920D M5PR1201MB 0091_"
MIME-Version: 1.0
X-OriginatorOrg: medteleco.com
X-MS-Exchange-CrossTenant- Network-Me ssage-Id: 39256351-ac5e-487e-1d76-08 d75260d03d
X-MS-Exchange-CrossTenant- originalar rivaltime: 16 Oct 2019 17:46:45.8849
(UTC)
X-MS-Exchange-CrossTenant- fromentity header: Hosted
X-MS-Exchange-CrossTenant- id: 515ade54-b1b0-422d-a2bd-c1 9ba43aeb4d
X-MS-Exchange-CrossTenant- mailboxtyp e: HOSTED
X-MS-Exchange-CrossTenant- userprinci palname: ykNQ7MmGEQaDjXuwdWJaBboL// WzdATxumAV c8r9x6Jx01 REa7/rVbzu DFntBkVT5C C8ja40BSyi eixRpfzcuQ ==
X-MS-Exchange-Transport-Cr ossTenantH eadersStam ped: DM5PR1201MB0090
Our SPF records are this:
The TXT records found for your domain are:
ca3-fb4e0338df1341bda9d096 ba47a0b0c9
google-site-verification=3 FBtxoKaK8u EmXHUm4uT9 oql31M9PsS ExZfe7X9h6 fc
v=spf1 include:spf.protection.out look.com -all
MS=ms63752656
v=spf1 ip4:67.41.129.214 include:spf.protection.out look.com
v=spf1 ip4:75.145.112.133 include:spf.protection.out look.com
I'm not sure if we need to add our sending domain to the SPF records or if the recipient has something misconfigured on their end. We have been sending to them this way for well over a year with no problems.
Any advice would be appreciated.
Thanks,
cdavis82
recipientmailserver.com rejected your message to the following email addresses:
Recipient (recipient@recipientdomain
Your message wasn't delivered because the recipient's email provider rejected it.
recipientmailserver.com gave this error:
Invalid SPF Record; Contact your local email administrator to resolve the issue.
Diagnostic information for administrators:
Generating server: DM5PR1201MB0090.namprd12.p
recipient@recipientdomain2
recipientmailserver.com
Remote Server returned '550 5.7.0 Invalid SPF Record; Contact your local email administrator to resolve the issue.'
Original message headers:
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=LE2wpgPFaGJtKHo+NlrfwuJM
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Messag
bh=snYS1hA+T5IMnXx86tPEkzJ
b=WQgVwBLmy/LqmxwLBR2J4sJu
ARC-Authentication-Results
smtp.mailfrom=medteleco.co
header.from=medteleco.com;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=medtele.onmicrosoft.com;
h=From:Date:Subject:Messag
bh=snYS1hA+T5IMnXx86tPEkzJ
b=oCU+diINIoSwYcDX0ebJC1JM
Received: from DM5PR1201MB0091.namprd12.p
DM5PR1201MB0090.namprd12.p
SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_
15.20.2347.16; Wed, 16 Oct 2019 17:46:46 +0000
Received: from DM5PR1201MB0091.namprd12.p
([fe80::d868:482d:da9e:122
([fe80::d868:482d:da9e:122
2019 17:46:46 +0000
From: Sender <sender@medteleco.com>
To: Recipient <recipient@recipientdomain
Subject: RE: Call Logs
Thread-Topic: Call Logs
Thread-Index: AdWDqTN+xFr9Or2LQ9u9XSK/oT
Date: Wed, 16 Oct 2019 17:46:45 +0000
Message-ID: <DM5PR1201MB009108E8A3D38A
References: <MN2PR02MB6800053D80E98F2C
<DM5PR1201MB0091174C01079D
<CH2PR02MB67894FC54C6D2B8F
In-Reply-To: <CH2PR02MB67894FC54C6D2B8F
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is )
smtp.mailfrom=sender@medte
x-originating-ip: [75.145.112.133]
x-ms-publictraffictype: Email
x-ms-office365-filtering-c
x-ms-traffictypediagnostic
x-microsoft-antispam-prvs:
x-ms-oob-tlc-oobclassifier
x-forefront-prvs: 0192E812EC
x-forefront-antispam-repor
received-spf: None (protection.outlook.com: medteleco.com does not designate
permitted sender hosts)
x-ms-exchange-senderadchec
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-messa
x-ms-exchange-transport-fo
Content-Type: multipart/alternative;
boundary="_000_DM5PR1201MB
MIME-Version: 1.0
X-OriginatorOrg: medteleco.com
X-MS-Exchange-CrossTenant-
X-MS-Exchange-CrossTenant-
(UTC)
X-MS-Exchange-CrossTenant-
X-MS-Exchange-CrossTenant-
X-MS-Exchange-CrossTenant-
X-MS-Exchange-CrossTenant-
X-MS-Exchange-Transport-Cr
Our SPF records are this:
The TXT records found for your domain are:
ca3-fb4e0338df1341bda9d096
google-site-verification=3
v=spf1 include:spf.protection.out
MS=ms63752656
v=spf1 ip4:67.41.129.214 include:spf.protection.out
v=spf1 ip4:75.145.112.133 include:spf.protection.out
I'm not sure if we need to add our sending domain to the SPF records or if the recipient has something misconfigured on their end. We have been sending to them this way for well over a year with no problems.
Any advice would be appreciated.
Thanks,
cdavis82
Look at your server IP and the spf record include your sending server ip...
ASKER
Not sure I understand. We're using Office 365. I don't know the IP. We setup the SPF records per their requirements. The IP's in the SPF record are our IP's that resolve to our domain.
You have multiple SPF records, that's NOT supported and results in invalidating the whole record. If you need to add multiple IPs/FQDNs, combine them in a single record.
ASKER
Would this be a better format?
v=spf1 ip4:67.41.129.214 ip4:75.145.112.133 include:spf.protection.out look.com -all
v=spf1 ip4:67.41.129.214 ip4:75.145.112.133 include:spf.protection.out
"The IP's in the SPF record are our IP's that resolve to our domain."
In addition to the multiple SPF records mentioned above, the IP addresses you've used may be incorrect. They should point to the sending mail server (at outlook.com) not your domain.
I have a client in a similar situation. The SPF record we use (that hasn't given us any trouble) is:
v=spf1 include:spf.protection.out look.com -all
In addition to the multiple SPF records mentioned above, the IP addresses you've used may be incorrect. They should point to the sending mail server (at outlook.com) not your domain.
I have a client in a similar situation. The SPF record we use (that hasn't given us any trouble) is:
v=spf1 include:spf.protection.out
You may want to make the record less restrictive, in case you send email from other IP addresses (perhaps transactional email for instance). To do that you change the "-" to a "~".
So your single SPF record would be:
v=spf1 ip4:67.41.129.214 ip4:75.145.112.133 include:spf.protection.out look.com ~all
So your single SPF record would be:
v=spf1 ip4:67.41.129.214 ip4:75.145.112.133 include:spf.protection.out
Yes.. that is right.. Only Exchange Online Protection and those 2 IP addresses can send emails to internet as your domain..
Yes, that format should work. Dont forget to remove all other SPF records.
@Graham:
I recently changed a different client's SPF record from "~all" to "-all" because of a significant issue. Someone was spoofing email from one of the valid accounts. Because it appeared to be coming from the correct domain (though a different IP address than I had specified), the "~" allowed it through. Changing it to "-" resolved that.
I recently changed a different client's SPF record from "~all" to "-all" because of a significant issue. Someone was spoofing email from one of the valid accounts. Because it appeared to be coming from the correct domain (though a different IP address than I had specified), the "~" allowed it through. Changing it to "-" resolved that.
@CompProbSolv
While "spoofing" can become an issue, as the opener of this question indicated that they were using other servers to send email (even although they have delegated their domain email to MS O365) there is a strong possibility that other servers/IPs are also sending email on their domain. Thus, to negate the problem, relaxing the SPF record seemed appropriate.
Having said that, most main stream MTAs will flag a message/connection from an unidentified sending IP as it is considered a "soft fail" on SPF - which is the purpose of the "~". Meaning it tells the receiving server to treat the message as suspect - a "relaxed" soft fail.
In the overall arsenal of Anti Spam measures, SPF plays a very small role, and is for the most part ignored. DKIM coupled with DMARC is a far more effective route.
While "spoofing" can become an issue, as the opener of this question indicated that they were using other servers to send email (even although they have delegated their domain email to MS O365) there is a strong possibility that other servers/IPs are also sending email on their domain. Thus, to negate the problem, relaxing the SPF record seemed appropriate.
Having said that, most main stream MTAs will flag a message/connection from an unidentified sending IP as it is considered a "soft fail" on SPF - which is the purpose of the "~". Meaning it tells the receiving server to treat the message as suspect - a "relaxed" soft fail.
In the overall arsenal of Anti Spam measures, SPF plays a very small role, and is for the most part ignored. DKIM coupled with DMARC is a far more effective route.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.