locked
SPF chek return PermError on some domain with valid record - presumably with 'redirect' directive RRS feed

  • Question

  • found that the edge server based on Exchange 2010 service pack 3 Ru17 returns PermError for valid SPF records with 'redirect' directive:

    for example manual check for telus.com return

    v=spf1 redirect=_spf_telus_com.nssi.telus.com

    most of SPF checking tools return ok for this domain,

    and this behavior for this domain was not changed at least 3 year.

    Monday, July 10, 2017 10:08 AM

Answers

All replies

  • Thanks for the update.  Do you have a question?

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Tuesday, July 11, 2017 12:12 AM
  • Hi,

    Thanks for sharing, redirect is redirect the spf record query to another spf record. It means that you not really have spf record. All query request will be redirected.

    if you have encountered any mail flow issue of any events, please post out in detail.

    Thanks for your efforts.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Tuesday, July 11, 2017 7:23 AM
    Moderator
  • This is a normal behavior of Exchange server or a bug?
    Tuesday, July 11, 2017 7:25 AM
  • Thanks for your response. No, it’s not.

    According to following RFC 4408, the SPF check has a limitation to 10 numbers of DNS lookups:

    SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check, including any lookups caused by the use of the "include" mechanism or the "redirect" modifier. If this number is exceeded during a check, a PermError MUST be returned. The "include", "a", "mx", "ptr", and "exists" mechanisms as well as the "redirect" modifier do count against this limit. The "all", "ip4", and "ip6" mechanisms do not require DNS lookups and therefore do not count against this limit. The "exp" modifier does not count against this limit because the DNS lookup to fetch the explanation string occurs after the SPF record has been evaluated.

    What’s the detailed error message? Please post out.

    Hope it helps and thanks for your effort.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 24, 2017 7:25 AM
    Moderator
  • Good day Jason,

    in the message headers:

    X-MS-Exchange-Organization-SenderIdResult: PERMERROR

    via Exchange PowerShell

    [PS] C:\Windows\system32>Test-SenderId -IPAddress 208.38.59.78 -PurportedResponsibleDomain telus.com

    RunspaceId  : b72c4907-94fe-4e37-a7d8-9d41e8a0b285
    Status      : PermError
    FailReason  : None
    Explanation :

    Thank you!

    BTW SPF validation tool link is dead: https://support.office.microsoft.com/article/92a43f6a-4651-455a-a1cc-300684bedcfa

    Monday, July 24, 2017 7:43 AM
  • Thanks for your response.

    For the state " PremError", please refer to:

    https://blogs.msdn.microsoft.com/tzink/2016/02/19/common-errors-in-spf-records/

    Hope it helps.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, August 1, 2017 7:27 AM
    Moderator