Re: How I do to reach iphmx.com admins? (about DNS misconfiguration)

Sebastian Nielsen · ‎06-17-2025

I have a problem with a sender that are using a iphmx.com server adress - namely a problem with their DNS/SPF configuration.

When I asked, apparently its a cloud variant of Ironport, and I should "contact Cisco about it".

However, im not the customer who has the IronPort. Im on the receiving end.

Here is the deal:

Ironport customers are apparently advised to set a SPF record of like:

exists:%{i}.spf.hc2347-75.eu.iphmx.com

Now to the problem.

The server trying to send email to me, is 23.90.102.86 - which then, inserted into this record:

23.90.102.86.spf.hc2347-75.eu.iphmx.com --> resolves to --> 127.0.0.2

Now to the problem. This trips "DNS Rebinding protection" in the firewall and the response DNS packet is dropped. Of course, private IP adresses should not be present in such a record. This of course causes a SPF fail with corresponding reject.

What the admins of iphmx.com needs to do, is to instead set the A record to point to itself:

23.90.102.86.spf.hc2347-75.eu.iphmx.com IN A 23.90.102.86

In this way, you don't "pollute" innocent IP-adresses, it doesn't trip rebinding protection, and it wont cause any concern as only the existence of the A record is important in this case.
Any ideas on how to get in touch with the iphmx.com admins?

Udupi Krishna. · ‎06-23-2025

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/213938-understanding-the-ces-spf-record.html explains why its set to 127.0.0.2

Having sai, the sender in your case has the choice to setup a different set of SPF records for their domain and not use the macro, rather rely on hostname or IP address of the sending host.

But if there is a need to drive this conversation, you will need to request your sender to with Cisco TAC who can help initiate a discussion internally to understand more on available options apart from modifying the SPF record.