SPF started blocking because of own IP - ORF Forums

@Winfried: Hello Winfried,

The SPF Test uses the "Sender IP" for its checks, which represents the IP address of the SMTP host responsible for delivering the email to your organization's (broader) network. The 'Remote Peer IP' refers to the IP address of the last connected host that submitted the email to the ORF server. These two addresses match only if no intermediaries were involved in the email delivery, meaning the server sending the email also connected to the ORF server for submission.

The "Sender IP" address is determined using two lists:

1) The Intermediate Host List (IHL): This list defines the boundary between your network and the broader Internet. When external SMTP hosts such as front-ends, security gateways, firewalls, and third-party filters owned by your organization but situated outside your network boundary send emails in a non-transparent fashion (they add their IP to the email's message header), from a public IP address, it is crucial to include their respective IP addresses or ranges in the IHL. Failing to do so could result in ORF being unable to determine the correct Sender IP address, potentially causing false positives in tests like SPF. (ORF Administration Tool: Filtering > Intermediate Hosts)

2) The Received Header List: This contains the IP addresses of the SMTP hosts that processed the email on its way to your mail server. Each delivery "hop" is logged in the email's message header, recorded sequentially under 'Received:' header fields.

By using the aforementioned lists, ORF can correctly identify the sender's IP address. False positives in the SPF Test may occur due to:

- Incomplete or incorrect IHL list: For instance, the external IP address of an email security service or proxy might be missing from the list.

- Compromised message header: A mail server, firewall, or email filter could have altered or removed all, or some of the "Received:" header fields in the message header.

- Incorrect SPF policy: The sending domain's SPF record is missing the IP address or range of the authorized sending server.

Related help pages:
https://vamsoft.com/support/docs/orf-help/6.8.3/adm-intermediatehostlist
https://vamsoft.com/support/docs/orf-help/6.8.3/headeranalysis
https://vamsoft.com/support/docs/orf-help/6.8.3/adm-spf

Please let me know if this has helped in resolving the reported issue.

@Winfried: Unfortunately, without knowing the actual content of the email headers, I won't be able to assist you. Could you please send the following information to for analysis?

- The copy of the email (please do not forward it, send the email as an attachment)
- The configuration file called orfent.xml. It can be found in the ORF program data directory (default: C:\ProgramData\ORF Fusion).
- The ORF text log files from the past two days (orfee-2023-08-07.log, orfee-2023-08-06.log). They can be found on the configured ORF logging path (ORF Administration Tool: System > Log > Text Log - Configure > Settings).