Hi,

rab ngl · ‎02-20-2017

The ESA configured with content filter to quarantine incoming emails with SPF Soft Fail.

Since last week, some emails sent by company.com was quarantined by ESA due to this filter.

The company.com has 4 (four) mail gateways.

Emails sent from mail3.company.com were quarantined by ESA due to Soft Fail, whereas other emails sent from other gateways were passed.

I wonder why the emails from that particular gateway were getting quarantined.

Based on the the nslookup output below, mail3.company.com exists in the SPF record.

Could somebody help me to find what could be the reason? Thanks.

> set q=mx
> company.com
Server: UnKnown
Address: 192.168.100.1

Non-authoritative answer:
company.com MX preference = 10, mail exchanger = mail1.company.com
company.com MX preference = 10, mail exchanger = mail2.company.com
company.com MX preference = 10, mail exchanger = mail3.company.com
company.com MX preference = 10, mail exchanger = mail4.company.com

mail1.company.com internet address = 1.2.3.4
mail2.company.com internet address = 1.2.3.5

> set q=txt
> company.com
Server: UnKnown
Address: 192.168.100.1

Non-authoritative answer:
company.com text =

"v=spf1 a mx ip4:1.2.3.4/32 ip4:1.2.3.5/32 ip4:1.2.3.6/32 ip4:1.2.3.7/32 a:mail1.company.com a:mail2.company.com a:mail3.company.com a:mail4.company.com ~all"

Libin Varghese · ‎02-20-2017

Hi,

SoftFail is an option in which the ip is not on the list of approved senders and the owner chooses not to commit to an absolute fail value.

These values are appended to the end of the dns text record to give a determination if the sender does not match.

ALL of these are are up to the discretion of the Domain owner.

"+"

Pass

"-"

Fail

"~"

SoftFail

"?"

Neutral

You can test SPF records using third party tools available online such as

https://vamsoft.com/support/tools/spf-policy-tester

Thanks!
Libin Varghese

rab ngl · ‎02-20-2017

Hi,

Thanks for the details explanation.

I've attached the outputs below. Could you please advise why the email sent from mail3.company.com always SoftFail in helo identity? Is it because there is no A record for the mail3.company.com?

Output of https://vamsoft.com/support/tools/spf-policy-tester

DNS error resolving the DNS A record for "mail3.company.com" timeout, or RCODE other than "NoError" or "NXDomain").

There was an error during the policy evaluation.
Error message: "DNS error resolving the DNS A record for "mail3.company.com" timeout, or RCODE other than "NoError" or "NXDomain")."

TEST SUMMARY
The evaluation completed in 4523 ms, with 2 errors and 0 warning.
Result: SPF temperror
Temporary error (likely a temporary DNS issue). Try again.
Error message: "DNS error resolving the DNS A record for "mail3.company.com" timeout, or RCODE other than "NoError" or "NXDomain")."

Output of message logs of email which got quarantined due to SPF SoftFail

Message 2127306 SPF: helo identity postmaster@mail3.company.com SoftFail
Message 2127306 SPF: mailfrom identity prvs=192a00981=user@company.com Pass
Message 2127306 SPF: pra identity user@company.com None headers from

Output of message logs of the email which delivered

Message 2120239 SPF: helo identity postmaster@mail2.company.com None
Message 2120239 SPF: mailfrom identity prvs=19137b26c=user@company.com Pass
Message 2120239 SPF: pra identity user@company.com None headers from

exMSW4319 · ‎02-21-2017

I don't know Vamsoft, but as soon as any lookup (particularly the DNS for my own ESAs!) starts to come up with TEMPERROR results, I get a second opinion from any lookup site capable of checking across a global set of resolvers.

I believe that http://www.whatsmydns.net is the one many use.

New or changing implementations can be wobbly, with the DNS results changing until all responding resolvers are in agreement. The book figure for complete DNS change propagation is 48 hours, but new domains can propagate in under an hour to the major networks.