IPV6 In relatedip, SPF check failed. RSS Back to forum
@RoHaS:
Hello RoHas,
Based on the description of the issue, the domain administrator of the sending domain forgot to add the "include:spf.protection.outlook.com" mechanism to their SPF record. See the SPF syntax here: http://www.open-spf.org/SPF_Record_Syntax/
In other words, the problem is on the sender side, so you should not disable the SPF Test - it is working properly. If you want, you can exclude the sender from SPF Testing by adding the sender's domain (as it appears in the ORF logs) to the SPF Sender Exceptions list (Blacklists > SPF Test > Settings> Exceptions tab).
The only thing that you need to make sure of is that you add the IP address of any non-transparent *external* front-end (or gateway, firewall, etc.) that forwards emails to ORF via public IP address, to the Intermediate Host List (Filtering > Intermediate Hosts), so that ORF can determine where your network ends and where the Internet begins when it determines the source IP of the email. More on this here: https://vamsoft.com/support/docs/orf-help/6.5/headeranalysis
I hope the above proves helpful to you, but let me know if you have further questions.
@Daniel Novak (Vamsoft):
Hello Daniel.
I added IP External IP, Internal IP of our email gateway to Intermediate hosts, but it doesn't works(
Part of log from Exchange with SMTP session:
2021-11-15T11:23:44.209Z,EXCHSRV\Default Frontend EXCHSRV,08D9A3E53E3C9EFC,0,10.3.1.207:25,10.3.1.200:63660,+,,
2021-11-15T11:23:44.209Z,EXCHSRV\Default Frontend EXCHSRV,08D9A3E53E3C9EFC,1,10.3.1.207:25,10.3.1.200:63660,>,"220 EXCHSRV.domain.ru Microsoft ESMTP MAIL Service ready at Mon, 15 Nov 2021 14:23:43 +0300",
2021-11-15T11:23:44.210Z,EXCHSRV\Default Frontend EXCHSRV,08D9A3E53E3C9EFC,2,10.3.1.207:25,10.3.1.200:63660,<,EHLO mx1.domain.ru,
2021-11-15T11:23:44.210Z,EXCHSRV\Default Frontend EXCHSRV,08D9A3E53E3C9EFC,3,10.3.1.207:25,10.3.1.200:63660,>,250 EXCHSRV.domain.ru Hello [10.3.1.200] SIZE 104857600 PIPELINING DSN ENHANCEDSTATUSCODES STARTTLS X-ANONYMOUSTLS AUTH NTLM X-EXPS GSSAPI NTLM 8BITMIME BINARYMIME CHUNKING XRDST,
2021-11-15T11:23:44.210Z,EXCHSRV\Default Frontend EXCHSRV,08D9A3E53E3C9EFC,4,10.3.1.207:25,10.3.1.200:63660,<,MAIL FROM:<> SIZE=8003,
2021-11-15T11:23:44.211Z,EXCHSRV\Default Frontend EXCHSRV,08D9A3E53E3C9EFC,5,10.3.1.207:25,10.3.1.200:63660,*,08D9A3E53E3C9EFC;2021-11-15T11:23:44.209Z;1,receiving message
2021-11-15T11:23:44.211Z,EXCHSRV\Default Frontend EXCHSRV,08D9A3E53E3C9EFC,6,10.3.1.207:25,10.3.1.200:63660,>,250 2.1.0 Sender OK,
2021-11-15T11:23:44.211Z,EXCHSRV\Default Frontend EXCHSRV,08D9A3E53E3C9EFC,7,10.3.1.207:25,10.3.1.200:63660,<,RCPT TO:<>,
2021-11-15T11:23:44.213Z,EXCHSRV\Default Frontend EXCHSRV,08D9A3E53E3C9EFC,8,10.3.1.207:25,10.3.1.200:63660,>,250 2.1.5 Recipient OK,
2021-11-15T11:23:44.214Z,EXCHSRV\Default Frontend EXCHSRV,08D9A3E53E3C9EFC,9,10.3.1.207:25,10.3.1.200:63660,<,DATA,
2021-11-15T11:23:44.214Z,EXCHSRV\Default Frontend EXCHSRV,08D9A3E53E3C9EFC,10,10.3.1.207:25,10.3.1.200:63660,>,354 Start mail input; end with <CRLF>.<CRLF>,
2021-11-15T11:23:44.215Z,EXCHSRV\Default Frontend EXCHSRV,08D9A3E53E3C9EFC,11,10.3.1.207:25,10.3.1.200:63660,*,,Ignored X-OriginatorOrg header value 'outlook.com' because session capabilities do not allow it
2021-11-15T11:23:44.220Z,EXCHSRV\Default Frontend EXCHSRV,08D9A3E53E3C9EFC,12,10.3.1.207:25,10.3.1.200:63660,*,,Proxy destination(s) obtained from OnProxyInboundMessage event. Correlation Id:48c3c036-618a-4380-bca9-db126abfdb27
2021-11-15T11:23:44.398Z,EXCHSRV\Default Frontend EXCHSRV,08D9A3E53E3C9EFC,13,10.3.1.207:25,10.3.1.200:63660,*,"Tarpit for '0.00:00:05' due to '550 5.7.23 SPF check failed: This server requires 2603:10a6:208:124::12 to be explicitly authorized to send in the name of ""outlook.com"". Please contact the administrator of ""outlook.com"" if this was a legitimate email.'",
And its not problem with SPF record on sender side. I sent email from personal account on outlook.com.
On Our email gateway i see correct IP of Outllok server for this email:
Message-ID:
<>
Accepted From:40.92.91.74 (Logical IP = 40.92.91.74 )
@RoHaS:
Could you send us the following for analysis, please (to )?
- The configuration file called orfent.ini, and the orfcs.ini* and orfcs.remote.ini* files - *if they exist. They can be found in the ORF program directory, (default: C:\ProgramData\ORF Fusion).
- The ORF log file from the day of the incident. ORF logs have a .log extension (e.g. orfee-2021-11-15.log) and are stored on the configured logging path (ORF Administration Tool > System > Log > ORF Text Log – Configure > Settings tab).
- Information about the problematic email which can be used to identify the email in the logs (i.e. date-and-time of sending + sender email address + recipient emails address. Message-ID if available)
Thank you.
Hello!
Our server is located behind a third-party mail gateway.
And if the sender's server is also behind another border server, then the ORF during the SPF check digs to the very first header, where the address is not at all the one that is external for the sending to the Internet by the sender's server.
An explicit example is sending from Office365 or Outlook.com
Received: from AM0PR05MB6593.eurprd05.prod.outlook.com (2603:10a6:208:124::12)
by AM8PR05MB8212.eurprd05.prod.outlook.com (2603:10a6:20b:367::14) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4690.19; Mon, 15 Nov
2021 06:17:17 +0000
A real server that connects via SMTP to our servers:
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (40.92.73.91)
As a result
"550 5.7.23 spf check failed: this server requires 2603:10a6:208:124::12 to be explicitly authorized to send in the name of"outlook.com". please contact the administrator of"outlook.com"if this was a legitimate email."
(Different ipv6 because - different email, but ssame result )))
I've tried adding the gateway to Intermediate hosts or whitelist. Nothing helps.
Is it possible to somehow help or just turn off the SPF at ORF?