SPF fail, but SPF is legit?

[Nhoague]

Hello all! I'm using PMG for a few domains and testing it but coming across a weird issue.

Email comes in, PMG rejects it due to SPF failure, but when I check mxtoolbox against the domain, the SPF does exist. Granted, it is an A record with about 10 IP address. The actual culprit is ppe-hosted (proofpoint).

Any idea why PMG isn't seeing all the IPs allowed in the A record for an SPF? Anything I can do?

Thanks forum!

 

[SteveITS]

There's a record tester at https://www.kitterman.com/spf/validate.html. There are rules, notably the 10-DNS-lookup limit, that catch people over time especially if using includes.

 

[Nhoague]

Oh yea, I'm fully aware of those SPF rules! But here's what I mean, check this out.

Go to MXTOOLBOX.COM, and use "spf:allamerican-bcs.com"

You'll see this response:

v=spf1 a:dispatch-us.ppe-hosted.com include:secureserver.net -all

Ok, thats good. Now, check the A records for "dispatch-us.ppe-hosted.com" and you'll return 16 IP addresses.

PMG rejected:

Recipient address rejected: Rejected by SPF: 148.163.129.49 is not a designated mailserver for xxxxxx@allamerican-bcs.com

BUT, that IP is in the A records for dispatch-us.ppe-hosted.com (which is proof point.)

See what I mean? Isn't that weird?

Will whitelisting a domain bypass the SPF checker in PMG?

Thanks!

 

[SteveITS]

Any chance the DNS lookup could be failing at that point?

I would agree that it seems like it should pass.

 

[Nhoague]

Very possible, I'm reading about others with issues with pfsense not binding the DNS, but I dont use pfsense. I'm in the CLI doing some testing! Ill share results when I find something! haha

 

[Nhoague]

Well when I use the spfquery via cli, it passes each time. When I go by IP address or URL, it passes. nslookup on PMG shows all the IP addresses. It can't be uncommon for SPF to have a URL? I have turned off SPF for now, but would be curious others experiences!

Thanks!

And thank you @SteveITS for your replies!