SPF problems with Sales Force

[Dark-Sider]

Hey guys,

I recently upgraded our PMG to the latest version and also added some DNSBLs the product over all performs very well. However I recently discovered in the tracking center that some legitimate mails get rejected because of spf failures.

When I check the spf records manually they seem fine though. Usually mails from salesforce are affected:

reject: RCPT from smtp07-ia5-sp4.mta.salesforce.com[13.110.78.182]: 554 5.7.1 <xy@xy.com>: Recipient address rejected: Rejected by SPF: 13.110.78.182 is not a designated mailserver for support%40veeam.com

Several SPF check sites list this combination as valid. Sometimes mails from the same IP go through, sometimes they fail. As the fails happen frequently and affect different companies (all using salesforce apparently) I first thought that salesforce might have issues with their SPF-records. But everytime I check them they seem fine...

any ideas? are there more detailed logs why the spf check failed?

regards,
Dark-Sider

 

[Stoiko Ivanov]

any chance you're using a pfsense as your DNS-resolver?
(or actually unbound and have set private-addresses to include 127/8)

see https://forum.proxmox.com/threads/rejected-mail-but-spf-record-seems-to-be-ok.84888/#post-372884

I hope this helps!

 

[Dark-Sider]

Hi,

thanks, yes you are spot on - I'm using opnSense which is a pfSense fork. I just recently discovered that most of the DNSBLs were not working because of unbound DNS. I then whitelisted those DNSBLs to allow private IPs.

If SPF is also affected by this problem, this escalates to a different level though, as I don't know every possible SPF query in advance.

I looked at your link, and I'm a bit puzzled why the spf lookup returns as 127.0.0.9 - is this by design or did salesforce just choose to do so? Also it seems a bit strange that it sometimes works and sometimes doesn't although only unbound is configured within PMG

 

[Stoiko Ivanov]

I'd suggest to simply try temporarily disabling the 'rebinding protection' for the DNS-resolver.
Alternatively it might be a good idea in any case to setup a dedicated DNS-resolver for PMG - see:
https://pmg.proxmox.com/wiki/index.php/DNS_server_on_Proxmox_Mail_Gateway
and more generally:
https://pmg.proxmox.com/wiki/index.php/Getting_started_with_Proxmox_Mail_Gateway

I hope this helps!

 

[Dark-Sider]

Yeah - I might just install a local unrestricted unbound on the pmg VM to circumvent any other issues.
thx.

 

[marksmith991]

Reliable email delivery requires addressing SPF concerns in Sales Force. Errors in setup may result in spam flags or bounces. Fast resolution requires close examination and frequent revisions to SPF records, which requires cooperation between IT and Sales Force managers.