none
Exchange misinterprets the SPF records

    Question

  • Hi,

    I think Exchange SPF control doesn't work correctly, for instance when I get an email from twitter to my Exchange(on-premise) mailbox it marks as SPF fail but the same email pass the SPF control of Hotmail, Gmail or Office 365.

        

    Exchange mail header:


    From: Twitter <n-fz=geraqlby.pbz-caabf@postmaster.twitter.com>
    Return-Path: za9d488917fz=geraqlby.pbz@bounce.twitter.com
    Received-SPF: Fail (exchange.domain.com: domain of
     n-fz=geraqlby.pbz-caabf@postmaster.twitter.com does not designate
     199.59.150.82 as permitted sender) receiver=exchange.domain.com;
     client-ip=199.59.150.82; helo=spruce-goose-am.twitter.com;


    Gmail:

    Return-Path: <z00cb00917uu=uhfrlvahany.arg@bounce.twitter.com>
    Received-SPF: pass (google.com: domain of z00cb00917uu=uhfrlvahany.arg@bounce.twitter.com designates 199.16.156.171 as permitted sender) client-ip=199.16.156.171;
    Authentication-Results: mx.google.com;
           spf=pass (google.com: domain of z00cb00917uu=uhfrlvahany.arg@bounce.twitter.com designates 199.16.156.171 as permitted sender) smtp.mail=z00cb00917uu=uhfrlvahany.arg@bounce.twitter.com;
    From: "User (via Twitter)" <i-uu=uhfrlvahany.arg-71a04@postmaster.twitter.com>



    Hotmail:

    Authentication-Results: hotmail.com; spf=pass (sender IP is 199.59.150.99; identity alignment result is pass and alignment mode is relaxed) smtp.mailfrom=zdca9fe917uhfrlvahany=zfa.pbz@bounce.twitter.com; 
    X-SID-PRA: i-uhfrlvahany=zfa.pbz-077df@postmaster.twitter.com
    Return-Path: zdca9fe917uhfrlvahany=zfa.pbz@bounce.twitter.com
    From: "User (via Twitter)" <i-uhfrlvahany=zfa.pbz-077df@postmaster.twitter.com>

     
    Office 365:

    Received-SPF: pass (mail68-co1: domain of bounce.twitter.com designates 199.16.156.171 as permitted sender) client-ip=199.16.156.171; envelope-from=z4928f1917uhfrlva.hany=fvzgrearg.pbz@bounce.twitter.com;
    Return-Path: z4928f1917uhfrlva.hany=fvzgrearg.pbz@bounce.twitter.com
    From: "Username (via Twitter)"
    <i-uhfrlva.hany=fvzgrearg.pbz-7cd35@postmaster.twitter.com>

    We are using SPF control by transport rule, that's way some emails going to junk folder.


    Do you have any idea about that?


    Wednesday, July 31, 2013 11:03 PM

All replies

  • Hello,

    I recommend you use the Test-SenderId cmdlet to test whether a specified IP address is the legitimate sending address for a specified SMTP address.

    Test-SenderId

    http://technet.microsoft.com/en-us/library/aa998605(v=exchg.150).aspx

    If you have any feedback on our support, please click here


    Cara Chen
    TechNet Community Support

    Thursday, August 01, 2013 9:03 AM
  • Hello,

    Test-Senderid cmdlet shows failed SPF as well.

    In my opinion the main problem is Exchange server evaluates "from" header (postmaster.twitter.com) to check SPF and the other mail providers evaluate return-path header(bounce.twitter.com) which is correct way to check SPF.

     

    Exchange:

    Received-SPF: Fail (exchange.domain.com: domain of

     n-fz=geraqlby.pbz-caabf@postmaster.twitter.com does not designate
     199.59.150.82 as permitted sender)

     

    Office 365:
    Received-SPF: pass (mail68-co1: domain of bounce.twitter.com designates 199.16.156.171 as permitted sender) client-ip=199.16.156.171;

     

    Gmail:

    Received-SPF: pass (google.com: domain of z00cb00917uu=uhfrlvahany.arg@bounce.twitter.com designates 199.16.156.171 as permitted sender)




    • Edited by HUNAL Thursday, August 01, 2013 10:39 AM
    Thursday, August 01, 2013 10:37 AM
  • Hello,

    From the information, Exchange server evaluates "from" header seems to be problem.

    If you publish SPF information for your domain in a public DNS that informational message will change to say that the message arrived from an authorized source.

    I suggest you check your SPF record.

    Here are some article for your reference.

    Sender ID

    http://technet.microsoft.com/en-us/library/aa996295(v=exchg.150).aspx

    Configuring DNS, MX, and SPF Records and Settings

    http://technet.microsoft.com/en-us/library/ff714972.aspx

    If you have any feedback on our support, please click here


    Cara Chen
    TechNet Community Support

    Friday, August 02, 2013 9:20 AM
  • Hello Cara,

    It's not related to our DNS or mail infrastracture as you can see in my previous posts Exchange Server evaluates from header instead of return-path header so that cause false-positive SPF control. 

    Exchange is checking from header which is "postmaster.twitter.com" but other mail providers checking return-path header "bounce.twitter.com" which is correct way to check SPF.

    The problem is not only for twitter emails, every domain that is using different return-path and from address.

    • Edited by HUNAL Friday, August 02, 2013 9:48 AM
    Friday, August 02, 2013 9:43 AM
  • Hello,

    Sorry for delayed response.

    I read the technet article and some threads, there is little related information.

    The mail header "postmaster.tritter.com" that seems to mean that users from twitter send message to your exchange server failed.

    I recommend you check if the ip address for twitter is listed in your blacklist.

    I recommend you use nslookup to check if your DNS MX record on public DNS server is correct.

    If you have any feedback on our support, please click here

     


    Cara Chen
    TechNet Community Support

    Monday, August 05, 2013 1:47 AM
  • Hello, 

    By the way I'd like to add that we are using "Forefront Protection for Exchange Server 2010" with latest hotfixes. Here is our current sender-id settings:

    

    It looks like I post this thread in wrong category but I couldn't find the Exchange Server 2010 category.  

    Thanks

    • Edited by HUNAL Tuesday, August 06, 2013 6:49 AM
    Tuesday, August 06, 2013 6:49 AM
  • Hello,

    Sorry for delayed response.

    I will help you to move your issue to exchange 2010 forum.

    If you have any feedback on our support, please click here


    Cara Chen
    TechNet Community Support

    Friday, August 09, 2013 1:42 AM
  • How do I find the new thread or an answer to this thread? 

    I am having the same exact issue and am seeing the same incorrect behavior of Exchange/Forefront


    James Right Size Solutions

    Wednesday, August 28, 2013 7:18 PM