3

We're having issues with a customer's domain. They're wanting to do a mail-out with a service called Act-On, and so far all the tests seem to be getting flagged as spam.

The customer has tried sending to:

  • Themselves (Office 365): Goes to junk folder.
  • Gmail: Goes to junk folder.
  • Our Exchange: Gets quarantined.

So it seems clear there's an issue, and I believe it is SenderID, as in our Quarantine mailbox, the NDR showed:

Received-SPF: PermError (exchange.ourdomain.com: domain of
 person@customerdomain.com used an invalid SPF mechanism)

My issue is that I need assistance trying to figure out why it's giving this error. The only tool that seems to be confirming the issue is Exchange's own Test-SenderID cmdlet. Every other tool shows no issue.

According to Microsoft, and the OpenSPF docs, PermError should be some kind of syntax or formatting issue. But I can't spot one, and none of the tools I've used have hinted to one.

I've used the following SPF record, and also explicitly specified a SenderID record in case this issue is at play. 

;; QUESTION SECTION:
;customerdomain.com.   IN      TXT

;; ANSWER SECTION:
customerdomain.com. 2335 IN    TXT     "spf2.0/pra include:spf.protection.outlook.com include:_spf.act-on.net -all"
customerdomain.com. 2335 IN    TXT     "MS=msxxxxxxxx"
customerdomain.com. 2335 IN    TXT     "v=spf1 include:spf.protection.outlook.com include:_spf.act-on.net -all"

What I've Tried

Below are details from the Port25 report - I asked for a copy of the mail-out to be sent via Act-On as it would normally, so the email is actually coming from Act-On (@b2b-mail.net):

==========================================================
Summary of Results
==========================================================
SPF check:          pass
DomainKeys check:   neutral
DKIM check:         pass
Sender-ID check:    pass
SpamAssassin check: ham

==========================================================
Details:
==========================================================

HELO hostname:  mx139.b2b-mail.net
Source IP:      209.162.194.139
mail-from:      delivery@b2b-mail.net

----------------------------------------------------------
SPF check details:
----------------------------------------------------------
Result:         pass 
ID(s) verified: smtp.mailfrom=delivery@b2b-mail.net
DNS record(s):
    b2b-mail.net. SPF (no records)
    b2b-mail.net. 3600 IN TXT "v=spf1 ip4:69.30.4.0/27 ip4:69.30.45.96/27 ip4:207.189.98.224/27 ip4:207.189.124.224/27 ip4:207.189.125.224/27 ip4:209.162.194.0/24 ~all"

----------------------------------------------------------
DomainKeys check details:
----------------------------------------------------------
Result:         neutral (message not signed)
ID(s) verified: header.From=person@customerdomain.com
DNS record(s):
Community
  • 1
Geekman
  • 451
  • 1
  • 10
  • 21

2 Answers2

4

I realise this is an old post and I'm wondering if you ever solved your issue. I've discovered this post when I encountered the exact same issue myself (PermError from Exchange but every other tool passed ok).

As it turns out, there was a subtle syntax error in my SPF record. We were using -all but the wrong kind of hyphen had been used. It looked identical in text fields, but it was non-ascii.

Try stripping your SPF record of anything remotely unicode. It might be worth just manually typing it out to be certain.

Kushan
  • 141
  • 2
  • Thanks for this! Unfortunately it's not an issue I can test out anymore, but that's definitely a possibility. I think ended up temporarily disabling SPF to avoid issues (deadlines). – Geekman May 09 '14 at 08:24
1

Microsoft/Office365 is validating the included SPF as well, while most tools won't. So please check with a validator tool (like mxtoolbox) the included SPF too.

And yes, a wrong "-" is an common issue, however mxtoolbox is able to detect it.

Sebastian
  • 11
  • 1