Outgoing emails being blocked by mail control

[gingib]

Has there been any recent changes to Hornbill's SPF Record?  We have just discovered that our outgoing emails have been blocked by our mail control as being spoofed - this has been happening for about a week.  We have checked everything at our end and cannot find a reason for this unless you have maybe made some changes.  Please can you advise?

[Keith Stevenson]

Gingib.

Thanks for the post. No changes have been made to the SPF record since 9/15/2016 at 10:43:33 AM and having checked the SPF record everything looks as it should.

Can you provide the full headers of an email that was sent and blocked so we can see where it got to.

Kind Regards

Keith Stevenson

[gingib]

Hi Keith,

We had already started to take the actions you had previously suggested (think those comments may have now been deleted).  Below is as requested:-

Received: from live.hornbill.com (unknown [172.16.1.52])by live.hornbill.com (Postfix) with ESMTP id DE0A01401BBfor <fred.blogs@xxx.org>; Tue, 14 Feb 2017 12:39:13 +0000 (UTC)
Date: Tue, 14 Feb 2017 12:39:11 +0000 (GMT Standard Time)
MIME-Version: 1.0
Subject: [SR00025194] Your request regarding "New Starter Request for ??? starting on 2017-02-14" has been logged
X-Priority: 3
X-Mailer: Hornbill Mailer 8.0.0.2687
From: "IT Service Desk" <wbcitservicedesk@wokingham.gov.uk>
To: fred.blogs@xxx.org
Content-Type: multipart/alternative; boundary="__=_Part_Boundary_003_012019.001950"
Message-Id: <000000000001cc01@wbcservicedesk.mail.hornbill.com>
X-Mailcontrol-TLSQueued: g4wZfm+MR!NIMxq6Ro!sG3a5aOyRpqyiLM1WvYW2iEvzMcexbDZ9ApdNlfvZ3LKs7w5ARWlIr3v0SmYluureVePBLAzdSwFt

Edited February 14, 2017 by gingib
Remove user email address

[Victor]

@gingib the initial advice was removed as we need to check a few things to be 100% sure we have the right answer/advice

 

[Victor]

@gingib your outbound rule for your domain should be using direct outbound instead of smarthost. You are are using our postfix server as a smarthost which is not an allowed sender for anything other than live.hornbill.com addresses.

https://mxtoolbox.com/SuperTool.aspx?action=ptr%3a78.129.173.121&run=networktools#

If you change the outbound rule for your domain to direct outbound, it should work correctly.

(thanks to @jeffreysmith and @Keith Stevenson for assistance with this issue )

[gingib]

Hi Victor,

When we went to apply this suggested fix we got the following message:-

SPF Check Success

 

SPF RECORD: include:spf.mailjet.com ip4:5.153.254.63 ip4:31.210.25.132 ip4:89.16.161.57 ip4:85.232.51.207 include:spf.protection.outlook.com include:_spf.live.hornbill.com mx ptr ~all

 

SPF OK: sender policy allows origin domain to send, matched '~all' for a SoftFail

 

SPF WARNING: the SPF rule found matches any originating domain, which is not recommended as mail you send could be unreliable and end up in junk folders!

Is this what you would expect to see?

[gingib]

@Victor - please could you advise on the above.  Thank you.

I am concerned as we have made no changes to our system yet the problem with sending email appeared approximately a week ago and have to wonder how this came about

[Victor]

@gingib apologies, I was convinced I replied to your last comment which obviously I didn't, really sorry

So, I don't see anything unusual except the SPF record configuration set to _spf:.live.hornbill.com instead of _spf.hornbill.com - which shoudl be the correct record.

Second, sender policy allows origin domain to send, matched '~all' for a SoftFail means if the domain is not listed it will trigger a "soft fail" which means the email is delivered but marked as such. In other words, all mail servers not listed in the SPF record are not authorized to send mail using the sender’s domain, but the owner of the domain is unwilling to make a strong assertion to that effect.

[samwoo]

Hi Victor,

(I work with Ginny)
I've had infrastructure look at the issues and this is the error they found on the spoofed emails from Hornbill:
PermError SPF Permanent Error: Too many DNS lookup (thisis a link to a post on stackoverflow explaining it)

Infrastructure have asked
"Is there an alternative, possibly an IP address we can add into our SPF record instead of the include?"

Otherwise might you or someone from Hornbill know how we can resolve this?

Thanks

Samuel

[Gerry]

@samwoo @gingib

Upon investigation, it seems that our own recent move to office365 has meant we added another include which pushed passed the 10 limit and had not realised that.  We will make changes to our DNS in the next few hours so should propagate through the DNS caches and the problem will be resolved tomorrow.  

Gerry

[samwoo]

15 hours ago, Gerry said:

@samwoo @gingib

Upon investigation, it seems that our own recent move to office365 has meant we added another include which pushed passed the 10 limit and had not realised that.  We will make changes to our DNS in the next few hours so should propagate through the DNS caches and the problem will be resolved tomorrow.  

Gerry

Hi Gerry,

Thanks for further investigating this. Infrastructure has checked the emails and all is now going through ok.

Cheers for the help,

Samuel