none
SPF Record - not permitted sender?

    Question

  • Hello, 

    I'm having a headache of a time with my SPF record. I have validated with various tools and it checks out at least in terms of format/syntax. 

    The SPF record for the domain has ip4 addresses in CIDR. The sending IPs fall within a range of /24 for example however I'm still getting the below. It could be a mail relay or other server but it's not indicated via CIP in the message header. I only have the originating/source IP and evidence is presented within the header.  

    Received-SPF None (protection.outlook.com: smtpmailserver does not designate permitted sender hosts)

    The SPF record for example:

    v=spf1 ip4:16X.XX.XX ip4:20X.XX.XX.X/24 ip4:10.XX.XX.X/24 ip4:19X.XX.XX.X/24 include:spf.protection.com -all

    Any thoughts as to why the originating ips don't get accepted despite falling with that range?

    Tuesday, June 7, 2016 7:19 PM

All replies

  • Hi 

    Please use below link for validate and create SPF

    http://www.spfwizard.net/


    sachin hodge

    Tuesday, June 7, 2016 7:46 PM
  • Thank you for the response. My record is exactly as generated via your provided link. 
    Tuesday, June 7, 2016 8:11 PM
  • I would also like to state that I have verified via http://www.kitterman.com/spf/validate.html and also simulated with "Test an SPF record" Despite simulated successes and fails, I'm still at a loss why items are reporting back failing the SPF. 

    The only thing I can think of is this regarding the PTR: https://social.technet.microsoft.com/Forums/en-US/3bf8a3de-39ac-4383-ac92-8652090d5d55/receivedspf-softfail-does-not-designate-ipaddress-as-permitted-sender?forum=exchange2010



    • Edited by coleisaacs Wednesday, June 8, 2016 12:56 AM
    Tuesday, June 7, 2016 8:47 PM
  • After further research I've conluded that the mail is getting forwarded and thus failing their SPF checks. 

    Please correct me if I am wrong but my options are:

    1)Remove SPF or ~all

    2)Implement SRS (Sender Rewriting Scheme)

    3) Use DKIM

    4)Determine forwarding server IPs. 

    #2 is impossible as I don't own the forwarding servers and having #3 implemented is unlikely - it's not an option at this time. #4 I don't think would work because after analyzing the headers of the emails that should be passing SPF the forwarding e-mail isn't listed, So I THINK and SUSPECT that even if they were listed in the SPF record they still wouldn't match; I'm going to look into this futher. So, I'm essentially left with removing the SPF or soft failing it with ~all.

    Any further guidance on this matter would be greatly appreciated. Thank you. 

    Wednesday, June 8, 2016 1:08 AM