SPF passes when sending email to external recipient, but fails when sending to internal recipientGoogle Apps - SPF Softfail when sending to same domainSPF problems with Google AppsHow to specify multiple included domains in SPF record?What are SPF records, and how do I configure them?Error while sending email using our own server: Sender is probably forged (SPF Softfail)Configure Exchange to receive email from an internal address with an external IP addressConfiguring SPF, DKIM, Reverse DNS for VPS sending email through Google Apps SMTP serversSPF Record - Sender server SPF record permerrorSetting up SPF and initial questionsSPF errors when sending emails
Construct a word ladder
What are the real benefits of using Salesforce DX?
How should I introduce map drawing to my players?
Computing the matrix powers of a non-diagonalizable matrix
When and what was the first 3D acceleration device ever released?
Were pens caps holes designed to prevent death by suffocation if swallowed?
Count Even Digits In Number
What does the view outside my ship traveling at light speed look like?
I unknowingly submitted plagarised work
Why is this Simple Puzzle impossible to solve?
How to know if a folder is a symbolic link?
What will be the real voltage along the line with a voltage source and a capacitor?
Is it true that cut time means "play twice as fast as written"?
Should I disclose a colleague's illness (that I should not know) when others badmouth him
Is CD audio quality good enough?
Why does a perfectly-identical repetition of a drawing command given within an earlier loop 𝘯𝘰𝘵 produce exactly the same line?
Did people go back to where they were?
Plot twist where the antagonist wins
What is the largest (size) solid object ever dropped from an airplane to impact the ground in freefall?
Pirate democracy at its finest
Is the field of q-series 'dead'?
Python program to implement pow(x, n)
Is real public IP Address hidden when using a system wide proxy in Windows 10?
Text at the right of icon
SPF passes when sending email to external recipient, but fails when sending to internal recipient
Google Apps - SPF Softfail when sending to same domainSPF problems with Google AppsHow to specify multiple included domains in SPF record?What are SPF records, and how do I configure them?Error while sending email using our own server: Sender is probably forged (SPF Softfail)Configure Exchange to receive email from an internal address with an external IP addressConfiguring SPF, DKIM, Reverse DNS for VPS sending email through Google Apps SMTP serversSPF Record - Sender server SPF record permerrorSetting up SPF and initial questionsSPF errors when sending emails
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I have set up an SPF DNS record for our domain. I've used our external IP address and that seems to be working fine, when I email to external recipients from my Outlook, SPF passes, since the originating server IP matches.
Now, we also have 8 web servers that send email through the same Exchange 2016 server, however, SPF is failing because the originating sender's IP is coming up as the internal network IP of the web server (ie, 192.168.1.14, etc.). I can't imagine having to put our internal subnet in the SPF record.
What am I missing?
spf
asked May 13 at 20:37
Blaine ShermanBlaine Sherman
62
add a comment |
I have set up an SPF DNS record for our domain. I've used our external IP address and that seems to be working fine, when I email to external recipients from my Outlook, SPF passes, since the originating server IP matches.
Now, we also have 8 web servers that send email through the same Exchange 2016 server, however, SPF is failing because the originating sender's IP is coming up as the internal network IP of the web server (ie, 192.168.1.14, etc.). I can't imagine having to put our internal subnet in the SPF record.
What am I missing?
spf
asked May 13 at 20:37
Blaine ShermanBlaine Sherman
62
add a comment |
I have set up an SPF DNS record for our domain. I've used our external IP address and that seems to be working fine, when I email to external recipients from my Outlook, SPF passes, since the originating server IP matches.
Now, we also have 8 web servers that send email through the same Exchange 2016 server, however, SPF is failing because the originating sender's IP is coming up as the internal network IP of the web server (ie, 192.168.1.14, etc.). I can't imagine having to put our internal subnet in the SPF record.
What am I missing?
spf
asked May 13 at 20:37
Blaine ShermanBlaine Sherman
62
I have set up an SPF DNS record for our domain. I've used our external IP address and that seems to be working fine, when I email to external recipients from my Outlook, SPF passes, since the originating server IP matches.
Now, we also have 8 web servers that send email through the same Exchange 2016 server, however, SPF is failing because the originating sender's IP is coming up as the internal network IP of the web server (ie, 192.168.1.14, etc.). I can't imagine having to put our internal subnet in the SPF record.
What am I missing?
spf
spf
asked May 13 at 20:37
Blaine ShermanBlaine Sherman
62
asked May 13 at 20:37
Blaine ShermanBlaine Sherman
62
asked May 13 at 20:37
Blaine ShermanBlaine Sherman
62
asked May 13 at 20:37
Blaine ShermanBlaine Sherman
62
asked May 13 at 20:37
Blaine ShermanBlaine Sherman
62
62
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
No, you should not add RFC1918 networks to your SPF record. Instead, you should configure your Exchange server to omit SPF checks and allow relay for your web servers. If you trust your web applications, you could simply allow anonymous relay from your web servers.
Anonymous relay is a common requirement for many businesses that have
internal web servers, database servers, monitoring applications, or
other network devices that generate email messages, but are incapable
of actually sending those messages.
In Exchange Server, you can create a dedicated Receive connector in
the Front End Transport service on a Mailbox server that allows
anonymous relay from a specific list of internal network hosts.
The article describes this in more detail, but here's a summary of the Exchange Management Shell commands used for allowing anonymous relay from two servers (192.168.1.14 and 192.168.1.15):
New-ReceiveConnector -Name "Web Servers Relay" -TransportRole FrontendTransport `
-Custom -Bindings 0.0.0.0:25 -RemoteIpRanges 192.168.1.14,192.168.1.15
Set-ReceiveConnector "Web Servers Relay" -PermissionGroups AnonymousUsers
Get-ReceiveConnector "Web Servers Relay" `
| Add-ADPermission -User "NT AUTHORITYANONYMOUS LOGON" `
-ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"
If you don't want to allow anonymous relay, your web applications would need to use authenticated SMTP, but as your original proposition was to add these servers to your SPF record, using anonymous relay is probably fine for you.
answered May 14 at 6:23
Esa JokinenEsa Jokinen
24k23361
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f967101%2fspf-passes-when-sending-email-to-external-recipient-but-fails-when-sending-to-i%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
No, you should not add RFC1918 networks to your SPF record. Instead, you should configure your Exchange server to omit SPF checks and allow relay for your web servers. If you trust your web applications, you could simply allow anonymous relay from your web servers.
Anonymous relay is a common requirement for many businesses that have
internal web servers, database servers, monitoring applications, or
other network devices that generate email messages, but are incapable
of actually sending those messages.
In Exchange Server, you can create a dedicated Receive connector in
the Front End Transport service on a Mailbox server that allows
anonymous relay from a specific list of internal network hosts.
The article describes this in more detail, but here's a summary of the Exchange Management Shell commands used for allowing anonymous relay from two servers (192.168.1.14 and 192.168.1.15):
New-ReceiveConnector -Name "Web Servers Relay" -TransportRole FrontendTransport `
-Custom -Bindings 0.0.0.0:25 -RemoteIpRanges 192.168.1.14,192.168.1.15
Set-ReceiveConnector "Web Servers Relay" -PermissionGroups AnonymousUsers
Get-ReceiveConnector "Web Servers Relay" `
| Add-ADPermission -User "NT AUTHORITYANONYMOUS LOGON" `
-ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"
If you don't want to allow anonymous relay, your web applications would need to use authenticated SMTP, but as your original proposition was to add these servers to your SPF record, using anonymous relay is probably fine for you.
answered May 14 at 6:23
Esa JokinenEsa Jokinen
24k23361
add a comment |
No, you should not add RFC1918 networks to your SPF record. Instead, you should configure your Exchange server to omit SPF checks and allow relay for your web servers. If you trust your web applications, you could simply allow anonymous relay from your web servers.
Anonymous relay is a common requirement for many businesses that have
internal web servers, database servers, monitoring applications, or
other network devices that generate email messages, but are incapable
of actually sending those messages.
In Exchange Server, you can create a dedicated Receive connector in
the Front End Transport service on a Mailbox server that allows
anonymous relay from a specific list of internal network hosts.
The article describes this in more detail, but here's a summary of the Exchange Management Shell commands used for allowing anonymous relay from two servers (192.168.1.14 and 192.168.1.15):
New-ReceiveConnector -Name "Web Servers Relay" -TransportRole FrontendTransport `
-Custom -Bindings 0.0.0.0:25 -RemoteIpRanges 192.168.1.14,192.168.1.15
Set-ReceiveConnector "Web Servers Relay" -PermissionGroups AnonymousUsers
Get-ReceiveConnector "Web Servers Relay" `
| Add-ADPermission -User "NT AUTHORITYANONYMOUS LOGON" `
-ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"
If you don't want to allow anonymous relay, your web applications would need to use authenticated SMTP, but as your original proposition was to add these servers to your SPF record, using anonymous relay is probably fine for you.
answered May 14 at 6:23
Esa JokinenEsa Jokinen
24k23361
add a comment |
No, you should not add RFC1918 networks to your SPF record. Instead, you should configure your Exchange server to omit SPF checks and allow relay for your web servers. If you trust your web applications, you could simply allow anonymous relay from your web servers.
Anonymous relay is a common requirement for many businesses that have
internal web servers, database servers, monitoring applications, or
other network devices that generate email messages, but are incapable
of actually sending those messages.
In Exchange Server, you can create a dedicated Receive connector in
the Front End Transport service on a Mailbox server that allows
anonymous relay from a specific list of internal network hosts.
The article describes this in more detail, but here's a summary of the Exchange Management Shell commands used for allowing anonymous relay from two servers (192.168.1.14 and 192.168.1.15):
New-ReceiveConnector -Name "Web Servers Relay" -TransportRole FrontendTransport `
-Custom -Bindings 0.0.0.0:25 -RemoteIpRanges 192.168.1.14,192.168.1.15
Set-ReceiveConnector "Web Servers Relay" -PermissionGroups AnonymousUsers
Get-ReceiveConnector "Web Servers Relay" `
| Add-ADPermission -User "NT AUTHORITYANONYMOUS LOGON" `
-ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"
If you don't want to allow anonymous relay, your web applications would need to use authenticated SMTP, but as your original proposition was to add these servers to your SPF record, using anonymous relay is probably fine for you.
answered May 14 at 6:23
Esa JokinenEsa Jokinen
24k23361
No, you should not add RFC1918 networks to your SPF record. Instead, you should configure your Exchange server to omit SPF checks and allow relay for your web servers. If you trust your web applications, you could simply allow anonymous relay from your web servers.
Anonymous relay is a common requirement for many businesses that have
internal web servers, database servers, monitoring applications, or
other network devices that generate email messages, but are incapable
of actually sending those messages.
In Exchange Server, you can create a dedicated Receive connector in
the Front End Transport service on a Mailbox server that allows
anonymous relay from a specific list of internal network hosts.
The article describes this in more detail, but here's a summary of the Exchange Management Shell commands used for allowing anonymous relay from two servers (192.168.1.14 and 192.168.1.15):
New-ReceiveConnector -Name "Web Servers Relay" -TransportRole FrontendTransport `
-Custom -Bindings 0.0.0.0:25 -RemoteIpRanges 192.168.1.14,192.168.1.15
Set-ReceiveConnector "Web Servers Relay" -PermissionGroups AnonymousUsers
Get-ReceiveConnector "Web Servers Relay" `
| Add-ADPermission -User "NT AUTHORITYANONYMOUS LOGON" `
-ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"
If you don't want to allow anonymous relay, your web applications would need to use authenticated SMTP, but as your original proposition was to add these servers to your SPF record, using anonymous relay is probably fine for you.
answered May 14 at 6:23
Esa JokinenEsa Jokinen
24k23361
answered May 14 at 6:23
Esa JokinenEsa Jokinen
24k23361
answered May 14 at 6:23
Esa JokinenEsa Jokinen
24k23361
answered May 14 at 6:23
Esa JokinenEsa Jokinen
24k23361
24k23361
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f967101%2fspf-passes-when-sending-email-to-external-recipient-but-fails-when-sending-to-i%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
