Sending mails from Outlook: SPF fails

In our Server we've implemented SPF and opendkim. The IP of our server is 85.214.95.200. SPF and opendkim verification works as expected.

The problem is with one of our users. I don't know the reason, but when receiving emails from them to my personal gmail account (for testing purposes), gmail throws me the following error if I check the mail headers:

Received-SPF: fail (google.com: domain of xxxx@domain.com does not designate 80.33.96.128 as permitted sender) client-ip=80.33.96.128;

You can see the message wasn't sent using our server. That IP is just the public IP of my client. His email client is Outlook 2003 (Windows 7). His configuration is fairly simple: there are two computers: one of them is a normal computer; the other one is Windows 7 whose hostname is SERVER (SERVIDOR in Spanish). However, his installed OS is not a server version of windows, but a common one (without any SMTP server installed as far I know). It doesn't matter the computer from which the message was sent; in both cases, the client IP is the same.

What can be the reason? Which type of test should I make? Proxy issues? In the latter case, how can I know if they are using a proxy?

Peregring-lk

Posted 2014-12-05T15:17:21.077

Reputation: 215

Can't you ask if they are using a proxy? That is typically something you either setup yourself or become aware you are behind one eventually. – Ramhound – 2014-12-05T15:29:11.237

@Ramhound The problem if this user don't know these type of things. The person which configured their computers work there no more. So, I have to check it myself. – Peregring-lk – 2014-12-05T15:46:06.160

You could run this SPF Test for the bad client and one good client and compare the results. It would also help to post the entire header of a bad message.

– harrymc – 2017-03-17T18:52:29.000

I think you will need an SPF record like this : v=spf1 ip4:80.33.96.128 ~all – harrymc – 2017-03-18T11:44:51.973

Answers

The DNS servers in charge of "domain.com" need an SPF record added to them to allow/verify the SMTP server(s) your client is using to send as an email user on that domain.

For example, using v=spf1 mx -all as the SPF record would allow any SMTP server that has a valid MX record for the domain in the DNS server, and deny all others.

Ƭᴇcʜιᴇ007

Posted 2014-12-05T15:17:21.077

Reputation: 103 763

The SPF record is currently configured to mark my server as the only permissible one. I don't want to modify the SPF record to add their IP address. What I would like to know is why these messages are sended from their local IP instead of from my server. – Peregring-lk – 2014-12-05T17:02:33.310

@Peregring-lk you'd need to look at the client configuration on that user's machine – ivanivan – 2017-03-17T20:16:05.363

Configure the other server to use your SMTP server as a Smart Host. This would send all traffic to your host for processing. From there, your host will relay out to the Internet, and Google (and others that use SPF) should be happy to receive your emails. To further enforce this (if you have control of the firewall or Access Control Lists on your network devices) you can block SMTP outbound traffic from all hosts in your network with the exception of your designated SMTP server. This would prevent other systems on your network from sending messages, bypassing the server, and ensure SPF/DKIM checks are properly set up and passed.

Mark Galbraith

Posted 2014-12-05T15:17:21.077

Reputation: 11