Why is this spf issue happens?

[ozgurerdogan]

When externalsender.com sends an email to a user behind PMG, he gets following spf error.
And of course he is not allowed to send mail from PMG's ip. Why is this happening?

<user@domain-behind-pmg.com>: host domain-behind-pmg.com[1.2.3.4 > (User's server ip)]
said:
    550-SPF: 2.3.4.5> (PMG's ip) is not allowed to send mail from externalsender.com:
550

 

[Stoiko Ivanov]

On a hunch - the message probably comes from the system where PMG sends the e-mail after processing it - and for that downstream system it looks as if the mail came from PMG and not the original sender.

You need to add your PMG as trusted relay to that downstream server.

If this is not the reason please provide more logs from PMG and the other systems then we can maybe see what is going on.
I hope this helps!

 

[ozgurerdogan]

It is not an option to add PMG to that server. But I tried adding that domain to white list at top level, to bypass spf check. I hope it works..

 

[Stoiko Ivanov]

It is not an option to add PMG to that server. But I tried adding that domain to white list at top level, to bypass spf check. I hope it works..

You will run into issues with any domain that has an SPF record (with a deny policy), which sends through you PMG to that server - so I'm not sure that this is a good permanent solution

 

[ozgurerdogan]

Any other solution you think?

 

[ozgurerdogan]

I noted that this is also happening on some other domains behind pmg. Should I completely remove spf for domains behind pmg? What is proper spf for incoming mails? I use:
v=spf1 a mx ip4:"PMG-IP" ip4:"MAIL-SERVER-IP" -all

 

[Stoiko Ivanov]

Should I completely remove spf for domains behind pmg?

No - if your PMG is relaying mails from some domains to the internet - just add your PMG's IP to the SPF record...

see also some general documentation on SPF:
https://de.wikipedia.org/wiki/Sender_Policy_Framework

 

[ozgurerdogan]

I use it for incoming mails only but having this stranger error:

<user@domain-behind-pmg.com>: host domain-behind-pmg.com[1.2.3.4 > (User's server ip)]
said: 550-SPF: 2.3.4.5> (PMG's ip) is not allowed to send mail from externalsender.com

So basicly pmg is refusing mail from external sender. Because spf of domain behind PMG does not allow this. And this is normal.

 

[Stoiko Ivanov]

So basicly pmg is refusing mail from external sender.

No it is not - the message says that the downstream server refuses the mail - not PMG

it refuses the mail, because it does an SPF check - and the external domain of course does not list your PMG as trusted sender

you have the following options (as already indicated in my first post):
* add PMG as trusted relay to this downstream server
* disable SPF checks on this downstream server (PMG can do SPF checking already)
* do not use PMG for this downstream server

 

[ozgurerdogan]

Sorry, yes downstream server refuses. Btw, downstream server = my server begind pmg right?

I think easiest way is second one "disable SPF checks on this downstream server (PMG can do SPF checking already)"

Am I all right?

 

[Stoiko Ivanov]

Btw, downstream server = my server begind pmg right?

yes

I think easiest way is second one

I usually would prefer to add PMG as trusted relay to that server - but I cannot tell you what is easier, better in your particular setup

Just try it and watch the logs!

I hope this helps!

 

[ozgurerdogan]

What do you mean by "add PMG as trusted relay to downstream server" ?
What kind of trust you mean. I am mostly using exim.

 

[Stoiko Ivanov]

Please check the documentation of your mail-server - I'm sure exim has docs how to configure an IP as trusted source of mail... or how to exclude mails from that IP from the SPF check.

 

[ozgurerdogan]

Thank you very much. You helped a lot.

 

[ozgurerdogan]

Even I deleted spf record yersterday. Still getting same refuse. Is not this weird? I now tried adding pmg as truested host.
But why is it still checking spf not sure? Maybe dns cache issue..