search cancel

Mail getting blocked due to IP not being allowed per SPF record


Article ID: 171899


Updated On:


Messaging Gateway


  • Errors are appearing in the message audit logs of Symantec Messaging Gateway (SMG) saying that your MX IP address is not allowed to send per its SPF record.
  • This error is coming from the recipient mail host.
  • Sender's SPF record is set to a "hard fail" (-all).

Example (may not be worded exactly, varies with each mail host):

This particular error is returned from a large hosted mail domain:
550 5.1.1 <Your IP Address> is not allowed to send from <Your domain> per its SPF Record. Please inspect your SPF settings, and try again.


There is no IP record in the SPF for the sender's domain that matches the external IP related to the SMG.


Root cause solution

Update the SPF record for the sender's domain to include the IP address associated with the SMG.



If the SPF record is configured for "soft fail" (~all), the SMG will still accept mail even if it fails. This setting is recommended for senders performing network changes or changing external IP addresses.


Additional information

SPF documentation is available at the ITEF website. Symantec Support is not able to provide configurations for our customers, but various sites provide SPF tools to assist in proper configuration.