SPF Fail cause internal server ip is missing

HanakJ 86 Reputation points
2021-02-04T18:44:22.547+00:00

Hello,

I've been having a problem with SPF recording lately. If I test the header of an e-mail that travels from an external mail server to my mail server. The test ends with an SPF error because the internal mail server is not listed in the name.

SMTP traffic looks like this:

mail.unix.com> EDGE.domain.org

EDGE.domain.org> InternalExchA.domain.loc

InternalExchA.domain.loc> InternalExchB.domain.loc

for example, mxtoolbox.com has a problem that the internal IP of the InternalExchA.domain.loc server is not in the SPF record.

spf name is for domain mail.unix.com "v= spf1 mx -all"

and mx for this domain is correct and sent from this IP.

Thanks for any advice

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,826 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,700 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Eric Yin-MSFT 4,386 Reputation points
    2021-02-05T08:26:57.473+00:00

    So the message is successfully delivered, but when you test the message header of the inbound message in MXToolbox, it says "internal IP address of the Mailbox is missing", tell me if I mis-understood. (You said "internal IP of the InternalExchA.domain.loc server is not in the SPF record" at first but "internal IP address of the Mailbox is missing" later, which one actually?)

    If the first one, how did you set up your SPF record? Is the IP of InternalExchA.domain.loc included? If it fails with "internal IP of the InternalExchA.domain.loc server is not in the SPF record", the message should be Hard fail/Soft fail/Neutral rejected depending on your rule.

    If the second one, one thing I can think of is that did you ever modify the extended rights of send connectors that routes message from Edge server to your mailbox server, like this?
    Run the following command to check the rights:

    get-sendconnector|get-adpermission -User "NT AUTHORITY\ANONYMOUS LOGON"|fl identity,user,Extendedrights  
    

    If an Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.