0

I'm looking for a little guidance as to how to setup a server I am working on, so that emails get through to people without being sent back by an SPF filter.

I send out email and this is the response that I get from the filter (personal details redacted):

mxfilter1.tildaone.com.au rejected your message to the following email >addresses: reception@ausmartinternational.com (reception@ausmartinternational.com) mxfilter1.tildaone.com.au gave this error: : Recipient address rejected: Please see http://www.openspf.org/Why?>s=helo;id=Server.domain.com;ip=WAN-IP;r=mxfilter1 Your message wasn't delivered due to a permission or security issue. It may >have been rejected by a moderator, the address may only accept email from >certain senders, or another restriction may be preventing delivery.

Diagnostic information for administrators: Generating server: Server.domain.com reception@ausmartinternational.com mxfilter1.tildaone.com.au Remote Server returned '550 5.7.1 : Recipient address rejected: Please see http://www.openspf.org/Why?s=helo;id=Server.domain.com;ip=WAN-Ip;r=mxfilter1' Original message headers: Received: from Server.domain.com (192.168.1.3) by Server.domain.com (192.168.1.3) with Microsoft SMTP Server (TLS) id 15.0.847.32; Tue, 23 Feb 2016 09:52:34 +1100 Received: from Server.domain.com ([fe80::ede4:e25c:b045:b2c6]) by Server.domain.com ([fe80::ede4:e25c:b045:b2c6%19]) with mapi id 15.00.0847.040; Tue, 23 Feb 2016 09:52:34 +1100 From: "Jesse R. Hayward" To: "reception@ausmartinternational.com" Subject: New Email Configuration Thread-Topic: New Email Configuration Thread-Index: AQHRbcO3uuavXk6Dh0SVir3+KXSDlw== Date: Mon, 22 Feb 2016 22:52:34 +0000 Message-ID: Accept-Language: en-US, en-AU Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [192.168.1.3] Content-Type: multipart/alternative; boundary="_000_a3907e6d81bf409883aba04707b5b253ServerProGeneralcom_" MIME-Version: 1.0

On the DNS Zone records I have an SPF record setup to tell the receiving computer that the IP address has the right to forward on email for the domain in question. However, from the error message, it appears that it's saying the internal computer hasn't authorized the outside domain to forward on its behalf.

This doesn't make much sense to me.

The SPF record that I have in place at the moment looks like:

"v=spf1 mx a:server.domain.com ip4:WAN-IP -all"

Any general pointers as to what to look in or specific advise will be greatly appreciated as I am just lost as to what's wrong.

Desperatuss0ccus
  • 252
  • 1
  • 4
  • 9
Jesse Hayward
  • 29
  • 1
  • 7
  • Your question is confusing. Are you sending to or from the domain your SPF record is setup for? – TheCleaner Feb 23 '16 at 01:31
  • Sorry about the confusion. I'm sending from the domain the spf record is setup for. But the setup must be wrong as it is being returned with an error from an external email – Jesse Hayward Feb 23 '16 at 02:04

3 Answers3

1

It isn't clear how you are routing email out of your environment, as the headers appear to not show the message actually leaving Exchange. If you are using a smart host that is under your control then it should not be checking SPF records for email it is relaying for.

If it isn't under your control, then ask whoever does control it how you should be setup. It would be very unusual to have SPF records on outbound email.

Finally I don't see anything in the headers to suggest email delivery is going by IPv6. The first transfer within Exchange is always over IPv6, but the rest of the headers are IPv4. Remember headers read up, so the last entry is at the top. Therefore I wouldn't bother with trying to resolve IPv6 issues at this time.

Sembee
  • 2,854
  • 1
  • 7
  • 11
0

It appears you mail is being delivered over IPv6 which you have not included in your SPF configuration. A some options are available:

  • Relay the mail via the domain's MX. This is the simplest solution.
  • Add your servers IPv6 address to the SPF configuration. You may also need to pin the IPv6 address your server is using and get rDNS working for that address.
  • Modify your mail server's configuration to only send over IPv4.
BillThor
  • 27,354
  • 3
  • 35
  • 69
  • Can you explain a brief proccess for the relay through the domain's mx? i'm on exchange 2013. Very much appreciated -Jesse – Jesse Hayward Feb 23 '16 at 02:38
  • @jjhacker810 I don't work with Exchange, but you should search for 'Exchange smarthost'. It appears you need to modify the connector for the Internet. – BillThor Feb 23 '16 at 02:41
  • I couldn't get the first option working properly. Are you able to explain where and what i'm pinning the ipv6 address into and the rdns ? – Jesse Hayward Feb 23 '16 at 03:17
0

Until you get things figured out, you should change your record to use a SoftFail instead of a HardFail. Use "~all" instead of "-all". Once you know you have a good and correct SPF record in place, you can change it back to -all.

You need an SPF record which lists the address of all servers which may possibly submit email from your domain. Keep in mind this needs to be the internet address of the final MTA (message transfer agent), or sending server, before the message reaches the MX (mail exchanger), or destination server. This section of Wikipedia has a decent description of the process of how mail flows to its destination.

Your SPF record looks pretty good, but there must be something missing. Are you routing mail through a smart host?

This webpage is the canon about SPF record syntax. Keep in mind when they mention "client IP" on this page, this is a reference to the sending server.

pat o.
  • 1,919
  • 1
  • 16
  • 28