Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: SPF: Help

Shouldn't be rejecting?

  

 
SPF help RSS feed   Index | Next | Previous | View Threaded


mwb at mwburden

Apr 15, 2008, 2:48 PM

Post #1 of 8 (661 views)
Permalink
Shouldn't be rejecting?
I tested my SPF configuration with http://www.openspf.org/Why

My Query:
Mail From: n24hc.com
Client IP: 68.76.20.124


The result:
[...] If you are confident your mail did go through an approved server:
The system administrator for n24hc.com may have incorrectly configured
its SPF record. This is a common cause of mistakes.
Here's what you can do. Contact the system administrator responsible for
n24hc.com and tell them that they need to change its SPF record so that
it contains mail.mwburden.com.
For example, they could change the record to something like
a:mail.mwburden.com



The SPF record for n24hc.com:
IN TXT "v=spf1 mx mx:mwburden.com mx:lynk.com ~all"



Shouldn't 68.76.20.124 be allowed to send mail for n24hc.com, since
68.76.20.124 is an MX for both n24hc.com and mwburden.com, both of
which I've included in the SPF TXT record?

Reverse lookup for 68.76.20.124 resolves to mail.mwburden.com, which
is named as the MX for mwburden.com.



Thanks,
Mike


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


vesely at tana

Apr 15, 2008, 9:35 PM

Post #2 of 8 (637 views)
Permalink
Re: Shouldn't be rejecting? [In reply to]
Michael W. Burden wrote:
> I tested my SPF configuration with http://www.openspf.org/Why
>
> My Query:
> Mail From: n24hc.com
> Client IP: 68.76.20.124
>
>
> The result:
> [...] If you are confident your mail did go through an approved server:
> The system administrator for n24hc.com may have incorrectly configured
> its SPF record. This is a common cause of mistakes.
> Here's what you can do. Contact the system administrator responsible for
> n24hc.com and tell them that they need to change its SPF record so that
> it contains mail.mwburden.com.
> For example, they could change the record to something like
> a:mail.mwburden.com

I did the same test and got a different result. Possibly the MX
records changed?

The result I got:
An SPF-enabled mail server rejected a message that claimed an envelope
sender address of n24hc.com.

An SPF-enabled mail server received a message from mail.mwburden.com
(68.76.20.124) that claimed an envelope sender address of n24hc.com.

The domain n24hc.com has authorized mail.mwburden.com (68.76.20.124)
to send mail on its behalf, so the message should have been accepted.
It is impossible for us to say why it was rejected.
What should I do?

If the problem persists, contact the n24hc.com postmaster.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


mwb at mwburden

Apr 16, 2008, 6:00 AM

Post #3 of 8 (631 views)
Permalink
Re: Shouldn't be rejecting? [In reply to]
Someone else pointed out to me that there was a problem with the
"glue" records in my DNS. That appears to have solved the problem
before you looked. Thank you for taking the time to look at it,
though. I do appreciate it.





vesely at tana wrote:
> Michael W. Burden wrote:
>> I tested my SPF configuration with http://www.openspf.org/Why
>>
>> My Query:
>> Mail From: n24hc.com
>> Client IP: 68.76.20.124
>>
>>
>> The result:
>> [...] If you are confident your mail did go through an approved server:
>> The system administrator for n24hc.com may have incorrectly configured
>> its SPF record. This is a common cause of mistakes.
>> Here's what you can do. Contact the system administrator responsible for
>> n24hc.com and tell them that they need to change its SPF record so that
>> it contains mail.mwburden.com.
>> For example, they could change the record to something like
>> a:mail.mwburden.com
>
> I did the same test and got a different result. Possibly the MX
> records changed?
>
> The result I got:
> An SPF-enabled mail server rejected a message that claimed an envelope
> sender address of n24hc.com.
>
> An SPF-enabled mail server received a message from mail.mwburden.com
> (68.76.20.124) that claimed an envelope sender address of n24hc.com.
>
> The domain n24hc.com has authorized mail.mwburden.com (68.76.20.124)
> to send mail on its behalf, so the message should have been accepted.
> It is impossible for us to say why it was rejected.
> What should I do?
>
> If the problem persists, contact the n24hc.com postmaster.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


rob.macgregor at gmail

Apr 16, 2008, 7:05 AM

Post #4 of 8 (631 views)
Permalink
Re: Re: Shouldn't be rejecting? [In reply to]
On Wed, Apr 16, 2008 at 2:00 PM, Michael W. Burden <mwb[at]mwburden.com> wrote:
> Someone else pointed out to me that there was a problem with the
> "glue" records in my DNS. That appears to have solved the problem
> before you looked. Thank you for taking the time to look at it,
> though. I do appreciate it.

That's useful to know - I've seen similar reports and been unable to
identify the cause of the rejections. Now I know to check the glue
records as a possible source.

--
Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


rob.macgregor at gmail

Apr 16, 2008, 7:19 AM

Post #5 of 8 (628 views)
Permalink
Re: Re: Shouldn't be rejecting? [In reply to]
On Wed, Apr 16, 2008 at 2:00 PM, Michael W. Burden <mwb[at]mwburden.com> wrote:
> Someone else pointed out to me that there was a problem with the
> "glue" records in my DNS. That appears to have solved the problem
> before you looked. Thank you for taking the time to look at it,
> though. I do appreciate it.

Looks like you still have that problem:

>>>>>
NS records got from your nameservers listed at the parent NS are:

ns2.mwburden.com.mwburden.com [] (NO GLUE) [TTL=86400]
ns1.mwburden.com.mwburden.com [] (NO GLUE) [TTL=86400]
<<<<<

I suspect that somebody forgot the trailing '.' on the NS lines in
your BIND configuration.

--
Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


mwb at mwburden

Apr 16, 2008, 12:45 PM

Post #6 of 8 (628 views)
Permalink
Re: Shouldn't be rejecting? [In reply to]
rob.macgregor at gmail wrote:
> On Wed, Apr 16, 2008 at 2:00 PM, Michael W. Burden <mwb[at]mwburden.com> wrote:
>> Someone else pointed out to me that there was a problem with the
>> "glue" records in my DNS. That appears to have solved the problem
>> before you looked. Thank you for taking the time to look at it,
>> though. I do appreciate it.
>
> Looks like you still have that problem:
>
>>>>>>
> NS records got from your nameservers listed at the parent NS are:
>
> ns2.mwburden.com.mwburden.com [] (NO GLUE) [TTL=86400]
> ns1.mwburden.com.mwburden.com [] (NO GLUE) [TTL=86400]
> <<<<<
>
> I suspect that somebody forgot the trailing '.' on the NS lines in
> your BIND configuration.
>
> --
> Rob MacGregor
> Whoever fights monsters should see to it that in the process he
> doesn't become a monster. Friedrich Nietzsche



You're absolutely correct. Thanks!

Mike (aka "somebody")

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


rob.macgregor at gmail

Apr 16, 2008, 1:41 PM

Post #7 of 8 (628 views)
Permalink
Re: Re: Shouldn't be rejecting? [In reply to]
On Wed, Apr 16, 2008 at 8:45 PM, Michael W. Burden <mwb[at]mwburden.com> wrote:
>
> You're absolutely correct. Thanks!

Not a problem, though your MX records have gone.

Hopefully you'll catch this in the list archive, or somebody who knows
another way to contact you will let you know ;) The list
administrator should expect to receive a bounce message shortly :)

--
Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


mwb at mwburden

Apr 16, 2008, 7:55 PM

Post #8 of 8 (619 views)
Permalink
Re: Re: Re: Shouldn't be rejecting? [In reply to]
rob.macgregor at gmail wrote:
> Not a problem, though your MX records have gone.


Ack. When I fixed my glue records, I put them right after the NS
records, which put them ahead of the MX record, so the blank field ahead
of "IN MX" no longer referred to "@".

*sigh*

Thanks again for the help. In another 50 or so iterations I may even
get it right!

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

SPF help RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.