gingib Posted February 14, 2017 Posted February 14, 2017 Has there been any recent changes to Hornbill's SPF Record? We have just discovered that our outgoing emails have been blocked by our mail control as being spoofed - this has been happening for about a week. We have checked everything at our end and cannot find a reason for this unless you have maybe made some changes. Please can you advise?
Keith Stevenson Posted February 14, 2017 Posted February 14, 2017 Gingib. Thanks for the post. No changes have been made to the SPF record since 9/15/2016 at 10:43:33 AM and having checked the SPF record everything looks as it should. Can you provide the full headers of an email that was sent and blocked so we can see where it got to. Kind Regards Keith Stevenson
gingib Posted February 14, 2017 Author Posted February 14, 2017 (edited) Hi Keith, We had already started to take the actions you had previously suggested (think those comments may have now been deleted). Below is as requested:- Received: from live.hornbill.com (unknown [172.16.1.52])by live.hornbill.com (Postfix) with ESMTP id DE0A01401BBfor <fred.blogs@xxx.org>; Tue, 14 Feb 2017 12:39:13 +0000 (UTC) Date: Tue, 14 Feb 2017 12:39:11 +0000 (GMT Standard Time) MIME-Version: 1.0 Subject: [SR00025194] Your request regarding "New Starter Request for ??? starting on 2017-02-14" has been logged X-Priority: 3 X-Mailer: Hornbill Mailer 8.0.0.2687 From: "IT Service Desk" <wbcitservicedesk@wokingham.gov.uk> To: fred.blogs@xxx.org Content-Type: multipart/alternative; boundary="__=_Part_Boundary_003_012019.001950" Message-Id: <000000000001cc01@wbcservicedesk.mail.hornbill.com> X-Mailcontrol-TLSQueued: g4wZfm+MR!NIMxq6Ro!sG3a5aOyRpqyiLM1WvYW2iEvzMcexbDZ9ApdNlfvZ3LKs7w5ARWlIr3v0SmYluureVePBLAzdSwFt Edited February 14, 2017 by gingib Remove user email address
Victor Posted February 14, 2017 Posted February 14, 2017 @gingib the initial advice was removed as we need to check a few things to be 100% sure we have the right answer/advice
Victor Posted February 14, 2017 Posted February 14, 2017 @gingib your outbound rule for your domain should be using direct outbound instead of smarthost. You are are using our postfix server as a smarthost which is not an allowed sender for anything other than live.hornbill.com addresses. https://mxtoolbox.com/SuperTool.aspx?action=ptr%3a78.129.173.121&run=networktools# If you change the outbound rule for your domain to direct outbound, it should work correctly. (thanks to @jeffreysmith and @Keith Stevenson for assistance with this issue )
gingib Posted February 14, 2017 Author Posted February 14, 2017 Hi Victor, When we went to apply this suggested fix we got the following message:- SPF Check Success SPF RECORD: include:spf.mailjet.com ip4:5.153.254.63 ip4:31.210.25.132 ip4:89.16.161.57 ip4:85.232.51.207 include:spf.protection.outlook.com include:_spf.live.hornbill.com mx ptr ~all SPF OK: sender policy allows origin domain to send, matched '~all' for a SoftFail SPF WARNING: the SPF rule found matches any originating domain, which is not recommended as mail you send could be unreliable and end up in junk folders! Is this what you would expect to see?
gingib Posted February 15, 2017 Author Posted February 15, 2017 @Victor - please could you advise on the above. Thank you. I am concerned as we have made no changes to our system yet the problem with sending email appeared approximately a week ago and have to wonder how this came about
Victor Posted February 15, 2017 Posted February 15, 2017 @gingib apologies, I was convinced I replied to your last comment which obviously I didn't, really sorry So, I don't see anything unusual except the SPF record configuration set to _spf:.live.hornbill.com instead of _spf.hornbill.com - which shoudl be the correct record. Second, sender policy allows origin domain to send, matched '~all' for a SoftFail means if the domain is not listed it will trigger a "soft fail" which means the email is delivered but marked as such. In other words, all mail servers not listed in the SPF record are not authorized to send mail using the sender’s domain, but the owner of the domain is unwilling to make a strong assertion to that effect.
samwoo Posted February 21, 2017 Posted February 21, 2017 Hi Victor, (I work with Ginny) I've had infrastructure look at the issues and this is the error they found on the spoofed emails from Hornbill:PermError SPF Permanent Error: Too many DNS lookup (thisis a link to a post on stackoverflow explaining it) Infrastructure have asked "Is there an alternative, possibly an IP address we can add into our SPF record instead of the include?" Otherwise might you or someone from Hornbill know how we can resolve this? Thanks Samuel
Gerry Posted February 21, 2017 Posted February 21, 2017 @samwoo @gingib Upon investigation, it seems that our own recent move to office365 has meant we added another include which pushed passed the 10 limit and had not realised that. We will make changes to our DNS in the next few hours so should propagate through the DNS caches and the problem will be resolved tomorrow. Gerry
samwoo Posted February 22, 2017 Posted February 22, 2017 15 hours ago, Gerry said: @samwoo @gingib Upon investigation, it seems that our own recent move to office365 has meant we added another include which pushed passed the 10 limit and had not realised that. We will make changes to our DNS in the next few hours so should propagate through the DNS caches and the problem will be resolved tomorrow. Gerry Hi Gerry, Thanks for further investigating this. Infrastructure has checked the emails and all is now going through ok. Cheers for the help, Samuel 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now