Mail getting blocked due to IP not being allowed per SPF record

book

Article ID: 171899

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

  • Errors are appearing in the message audit logs of Symantec Messaging Gateway (SMG) saying that your MX IP address is not allowed to send per its SPF record.
  • This error is coming from the recipient mail host.
  • Sender's SPF record is set to a "hard fail" (-all).

Example (may not be worded exactly, varies with each mail host):

This particular error is returned from a large hosted mail domain:
550 5.1.1 <Your IP Address> is not allowed to send from <Your domain> per its SPF Record. Please inspect your SPF settings, and try again.

Cause

There is no IP record in the SPF for the sender's domain that matches the external IP related to the SMG.

Resolution

Root cause solution

Update the SPF record for the sender's domain to include the IP address associated with the SMG.

 

Workaround

If the SPF record is configured for "soft fail" (~all), the SMG will still accept mail even if it fails. This setting is recommended for senders performing network changes or changing external IP addresses.

 

Additional information


SPF documentation is available at the ITEF website. Symantec Support is not able to provide configurations for our customers, but various sites provide SPF tools to assist in proper configuration.