What the SPF is wrong with my SPF?

[freedomit]

We are having issues with a customer sending to Hotmail accounts as messages are being silently deleted. I think its possibly due to a lack of SPF record so i created a record and then emails started bouncing from various sources. What did i do wrong?

The SPF record i created...(they route emails via ISP who have two SMTP servers listed in the SPF)

ourdomain.co.uk. IN TXT "v=spf1 mx a:smtp0.elite.net.uk a:smtp1.elite.net.uk -all"

I checked with mxtoolbox the record was valid but we then start getting NDR's like below. Any ideas what im doing wrong?


Diagnostic information for administrators:

Generating server: smtp0.elite.net.uk

protection.admin@lv.com
cluster8.eu.messagelabs.com #<cluster8.eu.messagelabs.com #5.1.0 SMTP; 553-SPF (Sender Policy Framework) domain authentication> #SMTP#

Original message headers:

Return-Path: <Clair@ourdomain.co.uk>
Received: from mail.ourdomain.co.uk (mail.ourdomain.co.uk
[217.68.x.x]) by smtp0.elite.net.uk (8.14.4/8.14.4) with ESMTP id
t9NGL6vI018528for <protection.admin@lv.com>; Fri, 23 Oct 2015 17:21:06 +0100
Received: from SERVER.ourdomain.local ([fe80::x:x:x:x]) by
SERVER.ourdomain.local ([fe80::e177:x:x:x]) with mapi id
14.03.0248.002; Fri, 23 Oct 2015 17:20:52 +0100
From: Clair <Clair@ourdomain.co.uk>
To: "protection.admin@lv.com" <protection.admin@lv.com>
Subject: RE: Direct Debits
Thread-Topic: Direct Debits
Thread-Index: AdEL+zgeU0kC2iceQaGnKQLf0KSWgQA6G6ugADKuLnAAABizgA==
Date: Fri, 23 Oct 2015 16:20:51 +0000
Message-ID: <357872CF0FA491448150052BB68B4CA33B07F499@SERVER.ourdomain.local>
References: <357872CF0FA491448150052BB68B4CA33B07AAEB@SERVER.ourdomain.local>
<00336EBAF4D51A438E43486443B7E9212B35F7A1@ormnxb002.group.net>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [192.168.44.127]
Content-Type: multipart/related;
boundary="_017_357872CF0FA491448150052BB68B4CA33B07F499SERVERourdomainloca_";
type="multipart/alternative"
MIME-Version: 1.0

 

[YeOldeStonecat]

I'm not 100% sure...but if you're entering a host name (like the ISPs SMTP servers)...you don't want to have "MX" in there.
If you have MX in the text record, it means the clients domain name should follow and any IPs with tied in with the MX record will be used (like a mail server receiving and sending directly).

add to the mix...based on experience, using ISPs SMTP servers and trying to get PTR and SPFs ' all that working well with them....generally doesn't! IMO...avoid them like the plague.

 

[putz]

instead of a:remote.servername.com i believe you need to use include:remote.servername.com

using a: you are saying that this is a hostname under your domain where include: says to include a remote domain server

Edit - nevermind i read that wrong i thought you were trying to include a remote domain.

 

[freedomit]

I'm not 100% sure...but if you're entering a host name (like the ISPs SMTP servers)...you don't want to have "MX" in there.
If you have MX in the text record, it means the clients domain name should follow and any IPs with tied in with the MX record will be used (like a mail server receiving and sending directly).

add to the mix...based on experience, using ISPs SMTP servers and trying to get PTR and SPFs ' all that working well with them....generally doesn't! IMO...avoid them like the plague.

I used the SPFWizard.com website and it added the mx part which means any servers listed as mx DNS records for the domain are also permitted to send email. I have it there incase they ever need to send out direct rather than via ISP.

 

[Markverhyden]

I can tell you that using a third party SMTP, such as your ISP, can pose problems. Also, Hotmail is problematic to begin with. Care to post or PM a complete bounced email, including full headers?

 

[JJDUB1313]

I know that you used spfwizard.com, I would try spfwizard.net just to see if you get the same results.

I also agree with the other posters that you should not have the MX in there. You might want to check with your mail provider (unless you are hosting you own box) on direction with this as often then will have information you need that is not obviously available (i.e. all server IP addresses, hostnames, etc.)

Let us know what you find out.

 

[nlinecomputers]

Having your own domain name and server and then routing it via the isp mail server instead is enough to get mail marked spam no matter what your SPF is. SPF is not all that useful and you can run servers without it just fine.

 

[freedomit]

Having your own domain name and server and then routing it via the isp mail server instead is enough to get mail marked spam no matter what your SPF is. SPF is not all that useful and you can run servers without it just fine.

Ok thanks...I will switch it over to direct send on Monday and see the results without an SPF and with an SPF.

 

[Markverhyden]

Ok thanks...I will switch it over to direct send on Monday and see the results without an SPF and with an SPF.

Does the customer have a fixed IP? If not the email will be bounced by major ISP's as well as anyone using RBLDNS.

 

[freedomit]

Does the customer have a fixed IP? If not the email will be bounced by major ISP's as well as anyone using RBLDNS.

Yep, I make sure all my clients have them regardless of whether they have a server or not.

 

[YeOldeStonecat]

We have a couple of redundant SMTP servers that we have all of our clients use. Easier to keep things tidy with those..than try to maintain each and every clients direct send. If you do direct send..don't forget to do a PTR with their ISP. And use MXToolbox to check their server....lots of little details with Exchange itself, host name, certs, banner greeting...to get lined up proper.

 

[freedomit]

Ok so i have investigated this further and found the issue, I created the below SPF record as my ISP said the only two servers sending outbound were smtp0 and smtp1...

v=spf1 mx a:smtp0.elite.net.uk a:smtp1.elite.net.uk -all

but when we email some companies we get the following bounce back...

#5.7.1 SMTP; 550 5.7.1 Sender ID (PRA) Not Permitted> #SMTP#

I have spent some time investigating and have found the following...

smtp0.elite.net.uk resolves to 217.68.241.200
smtp1.elite.net.uk resolves to 217.68.241.201

however I just sent a test email and the email log shows it was relayed by the following...

smtp0.elite.net.uk 217.68.241.204

which isn't included in our SPF record. So i have email my ISP for the full list of sending IP's so i can add them to the SPF record.

 

[putz]

Ok so i have investigated this further and found the issue, I created the below SPF record as

however I just sent a test email and the email log shows it was relayed by the following...

smtp0.elite.net.uk 217.68.241.204

which isn't included in our SPF record. So i have email my ISP for the full list of sending IP's so i can add them to the SPF record.

Long story short, just because those are the SMTP servers that receive mail for the ISP, doesn't mean they are the last MTA to send the email outside their network. They could be forwarding email traffic to another MTA for whatever purpose like spam or virus filtering then that MTA may actually send the email to the recipient. Either way you will need to make sure that any IP or FQDN that the ISP could potentially use to send mail on behalf of their domain is listed in your SPF otherwise you will get an NDR if you specify a hard fail in your SPF record. Hopefully they can give you all the info, I know how difficult it is to get the right answers from other vendors, especially ISP's.