SPF test not detecting one of our domains RSS

1

Hello,
We have multiple domains in our organization and SPF works fine for all of them except one.

So when I send a fake email from that domain, it arrives to my Outlook.

ORF Log Viewer shows that the email Passed (not whitelisted), however when I check the email logs in Outlook I see this:

Received-SPF: None (edge01: does not designate
permitted sender hosts)

This domain is not whitelisted, there is nothing in Exceptions, SPF record is valid.

Any thoughts on this?
Thank you

by fgasimzade 3 weeks ago
2

@fgasimzade: Hello fgasimzade,

Could you provide some additional details about this issue, please?

- The name of the domain you are spoofing/testing
- The public IP address of the server sending the test emails to the ORF server
- The IP address that was recorded in the 'Related IP' column for the test email in the ORF logs (use the ORF Log Viewer to find this information)
- The email address that was recorded in the 'Sender' column for the test email in the ORF logs (use the ORF Log Viewer to find this information)

by Daniel Novak (Vamsoft) 3 weeks ago
(in reply to this post)

3

@Daniel Novak (Vamsoft): Hello Daniel,

Thank you for your prompt reply

Here is the information:

1.Actually, I noticed now 2 domains not detected - @swgh.az and @silkwaywest.com. For instance, swh.az and silkwaygroup.com are being detected and rejected
2. I am using this website to spoof emails - https://emkei.cz/, public IP in ORF Log is 46.167.245.206
3. Related IP is the same - 46.167.245.206
4. and

by fgasimzade 3 weeks ago
(in reply to this post)

4

@Daniel Novak (Vamsoft): Hello Daniel,

Looks like I found the issue. We did not have SPF record for these domains in our local DNS, which ORF uses

Issue is now fixed

by fgasimzade 3 weeks ago
(in reply to this post)

5

46.167.245.206 is not authorized to send emails on behalf of swgh.az or silkwaywest.com, according to the SPF policies of those domains. Can you send me (to ) the ORF log file that shows the SPF Test letting the spoofed emails from 46.167.245.206 pass (e.g. orfee-2018-11-18.log), along with your current ORF configuration file (orfent.ini)? You may find the requested files in the ORF program directory (default: \Program Files (x86)\ORF Fusion).

Thank you!

by Daniel Novak (Vamsoft) 3 weeks ago
6

@fgasimzade: Oh, nevermind then :) You must have published the SPF policies for the domains by the time I queried the DNS TXT records.

I am glad to hear you found the source of the issue.

by Daniel Novak (Vamsoft) 3 weeks ago
(in reply to this post)

7

@Daniel Novak (Vamsoft): The thing is that we have external DNS servers which have a correct SPF record and internal DNS servers which are used in our Active Directory. SPF records were configured on external DNS, but we forgot to add SPF records for these domains on the internal DNS.

This is what confused me - I could see a valid SPF record on external DNS published on the internet, but forgot to check it internally

by fgasimzade 3 weeks ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

Nickname:
Email address (will not be published):
Your comment:

ORF Technical Support

Configuring, installing and troubleshooting ORF.

News & Announcements

Your dose of ORF-related news and announcements.

Everything but ORF

Discuss Exchange and system administration with fellow admins.

Feature Test Program

Feature Test Program discussion. Membership is required to visit this forum.

ORF Beta

Join the great bug hunt of the latest test release.

Customer Service

Stay Informed