Why is a message blocked because of SPF?
SPF (Sender Policy Framework) problems can lead to a message being blocked by the filtering server or by the destination mail server.
Incoming messages blocked by the filtering server
If the message was blocked by the filtering server, the message is shown as 'Rejected' in the Mail Assure Log Search. This occurs when the sender's SPF does not include the IP address from which the message originated.
To resolve this issue, the sender must add all the relevant IPs in the SPF record.
If this is not possible and you have confirmed the sender is a legitimate and trusted contact, you can add the sending domain to the list of domains and IP addresses with disabled SPF, DKIM and DMARC checks - see Manage Domains and IPs with Disabled SPF, DKIM and DMARC Checks.
Incoming messages blocked by the destination mail server
If the message was blocked by the destination mail server, it will appear as 'Accepted' in the Mail Assure Log Search. Normally this happens because the SPF check is enabled on the destination mail server. As the final hop in delivery is the filtering server, this means that the message will appear to be coming from an IP (the one of the filtering server) which is not included in the sender’s SPF - this is the correct behavior.
To resolve this, the SPF check should be disabled on the destination mail server, as this is already being performed during filtering.
Alternatively, you should ensure that nothing on the destination mail server is blocking the connection from the filtering server IPs listed below.
Webinterface telnet & LDAP sync IPs
130.117.251.9
2001:978:2:6::20:10
Mail Assure SMTP delivery IPs
IP range:
185.201.16.0/22
IP sub-ranges:
185.201.16.0/24
185.201.17.0/24
185.201.18.0/24
185.201.19.0/24
This applies automatically to all Mail Assure accounts. If you wish to use the telnet test from the webinterface or use the LDAP sync/authentication, you need to authorize the webinterface IP 130.117.251.9 / 2001:978:2:6::20:10. This is not required for deliveries.
Outgoing messages blocked by the destination mail server
When outgoing filtering is enabled and you see a bounce related to the SPF failing, this will always be rejected by the destination mail server and not by the outgoing filter. This is usually because the SPF of the sending domain does not include the IPs of the filtering server. For more details on how to adjust the SPF when the outgoing filter is used, see Set up SPF.