Exchange 2016 blocking emails

Question

Exchange 2016 blocking emails

JD 5

hi there,

I am running Exchange 2016 and went to the Microsoft site to fill out a contact form. Microsoft attempted to email be back saying thank you from email@microsoft.com but our Exchange server blocked the email. This is the message I am seeing. Why was the email blocked?

28/10/2023 20:18:34 FAIL SMTP email@microsoft.com {******@yyy.com} Thanks for your request

RunspaceId : 8da772ca-1784-4b02-a831-55867685f81c

Timestamp : 28/10/2023 20:18:34

ClientIp : 199.15.214.202

ClientHostname : xxx

ServerIp : x.x.x.x

ServerHostname :

SourceContext : Sender Id Agent

ConnectorId : xxx\Default xxx

Source : SMTP

EventId : FAIL

InternalMessageId : 190838281863168

MessageId : ******@sjmktmail-trigger1d.marketo.org

NetworkMessageId : 196b3170-6f7d-4763-484d-08dbd7eaadff

Recipients : {******@xxx.com}

RecipientStatus : {[{LED=550 5.7.1 Sender ID (PRA) Not Permitted};{MSG=};{FQDN=};{IP=x.x.x.x};{LRT=}]}

TotalBytes : 0

RecipientCount : 1

RelatedRecipientAddress :

Reference :

MessageSubject : Thanks for your request

Sender : email@microsoft.com

ReturnPath : ******@bounce4.email.microsoft.com

Directionality : Incoming

TenantId :

OriginalClientIp :

MessageInfo :

MessageLatency :

MessageLatencyType : None

EventData : {[ToEntity, Unknown], [FromEntity, Internet], [DeliveryPriority, Normal], [OriginalFromAddress, ******@bounce4.email.microsoft.com], [AccountForest, xxxcom]}

TransportTrafficType : Email

SchemaVersion : 15.01.2507.034

1 answer

Your answer

Answer 1

Jarvis Sun-MSFT 10,231 Microsoft External Staff

Hello @JD ,

Welcome to our Q&A forum.

Based on the error message you provided, it seems that your Exchange server blocked the email from Microsoft due to a Sender ID (PRA) Not Permitted error. This error occurs when the sender’s domain does not have a valid Sender Policy Framework (SPF) record or if the SPF record is not configured correctly.

To resolve this issue, you can check if the SPF record for Microsoft’s domain is configured correctly. You can use the Microsoft Remote Connectivity Analyzer to check if the SPF record is valid. If the SPF record is not valid, you can add it to your list of allowed domains.

Please feel free to let us know if you have any updates.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

JD 5 Reputation points

2023-10-30T14:44:45.1466667+00:00

Hello, thanks for your reply.

If I ping microsoft.com I get back the following - 20.231.239.246

If I then use https://powerdmarc.com/spf-record-lookup/ and lookup microsoft.com I don't see that Ip range in any of the spf records.

Looking at the error message produced by our Exchange 2016 server, it has marked the client Ip as 199.15.214.202 which is bounce4.email.microsoft.com.

Now if I check the spf for bounce4.email.microsoft.com it is 199.15.214.202.

So did our Exchange server use the ip 20.231.239.246 - microsoft.com and as there is no spf ip for it, marked it as Sender ID (PRA) Not Permitted error?

As another test, I used a different email address for microsoft.com to contact us on (******@outlook.com) and that worked, we received the email - why did this work?

Here is part of the message header

Authentication-Results: spf=pass (sender IP is 199.15.214.202)

smtp.mailfrom=bounce4.email.microsoft.com; dkim=pass (signature was verified)

header.d=microsoft.com;dmarc=pass action=none

header.from=microsoft.com;compauth=pass reason=100

Received-SPF: Pass (protection.outlook.com: domain of

bounce4.email.microsoft.com designates 199.15.214.202 as permitted sender)

receiver=protection.outlook.com; client-ip=199.15.214.202;

helo=bounce4.email.microsoft.com; pr=C

Is there a way to test from our Exchange server what spf record ips are being used?

Also, being Microsoft.com, they would make sure their spf record are correct?

Thanks
Jarvis Sun-MSFT 10,231 Reputation points Microsoft External Staff

2023-11-01T08:55:30.4166667+00:00

@JD, thanks for your detailed information,

So did our Exchange server use the ip 20.231.239.246 - microsoft.com and as there is no spf ip for it, marked it as Sender ID (PRA) Not Permitted error?

Yes, it is.

Is there a way to test from our Exchange server what spf record ips are being used?

Yes, you can test the SPF record IPs being used by your Exchange server. Use the MxToolbox SuperTool to check and verify the SPF record. See: https://www.alitajran.com/setup-spf-record-for-exchange-server/
JD 5 Reputation points

2023-11-03T08:15:29.4333333+00:00

hi,

thanks for you reply.

Looking at the error message the clientip is showing ClientIp : 199.15.214.202 - what does this mean?

Sometimes the Clientip is an external address and other times it is the ip address of our internal Exchange server.

Wouldn't Microsoft.com ensure their spf is correct? I have a feeling there is something not correctly set up on our Exchange Server for SPF checking.

Emails which are getting through SPF seem to either have the ClientIP listed as blank or the internal ip of our Exchange server. Emails that are blocked seem to have a random external ip which is not even the ip of the sending domain.

Some emails have a OriginalClientIp which is not the ip of the sending domain or in the SPF but are still getting through. It seems all very random and not how SPF should be working.

Our Exchange server uses a internal DNS server which uses forwarders and that seems to be all fine. There is router in front that uses port forwarding to send the incoming email on port 25 to the Exchange server. Is there somewhere in the Exchange IIS I can ensure the original ip is maintained all the way through?

Thanks
Jarvis Sun-MSFT 10,231 Reputation points Microsoft External Staff

2023-11-08T08:29:35.8466667+00:00

Hi,

The clientip is the IP address of the server that sent the email to your Exchange server. It may or may not be the same as the original sender’s IP address, depending on how the email was routed.

Your Exchange server can check the SPF record of the incoming email by comparing the clientip with the SPF record of the sender’s domain name. If the clientip is not authorized by the SPF record, the email can be marked as spam or rejected. However, this depends on how you configure your Exchange server to handle SPF failures.
https://community.spiceworks.com/topic/2353615-spf-record-for-on-premise-exchange

Possible reason why some emails have a different originalclientip than the clientip is that they were forwarded by another server or service, such as a spam filter or a gateway. In this case, you may want to check the SPF record of the originalclientip instead of the clientip, as the originalclientip is more likely to match the sender’s domain name.

To preserve the original IP address of the sender in your Exchange server, you may need to configure your router or firewall to use source NAT instead of port forwarding.

Share via

Exchange 2016 blocking emails

1 answer

Your answer