SOLVED Incoming Emails bouncing (SPF) AND accepted

[inspyre]

An account on our server has had an issue over the last couple of days, where multiple incoming emails are both bouncing and being delivered. The problem isn't affecting all incoming emails, just a few each day, and I can't find any link between the senders. Different domains, different providers (some with Office 365, some with other providers).

Even though the emails are only being sent once, there are two entries in the 'Email Trace' log. Here are the delivery details for one of these emails:

Event:    failure
User:    xxx
Domain:    xxx.co.nz
Sender:    [email protected]
Sent Time:    Feb 9, 2017 9:33:09 AM
Sender Host:    mail-xxxx.outbound.protection.outlook.com
Sender IP:    xxx.xx.xxx.x
Authentication:    forwarder
Spam Score:    0
Recipient:    [email protected]
Delivery User:    xxx
Delivery Domain:    xxx.co.nz
Delivered To:  
Router:    lookuphost
Transport:    remote_smtp
Out Time:    Feb 9, 2017 9:37:09 AM
ID:    1xxxxx-000xxx-ON
Delivery Host:    mx.xtra.co.nz
Delivery IP:    xxx.xx.xx.x
Size:    577.23 KB
Result:    DHE-RSA-AES256-GCM-SHA384:256 CV=yes DN="/C=NZ/ST=Auckland/L=Auckland/O=Spark New Zealand Limited/OU=Spark Connect/CN=mx.xtra.co.nz": SMTP error from remote mail server after end of data: 550 5.7.1 Message rejected due to SPF policy


Event:    success
User:    xxx
Domain:    xxx.co.nz
Sender:    [email protected]
Sent Time:    Feb 9, 2017 9:33:09 AM
Sender Host:    mail-xxxx.outbound.protection.outlook.com
Sender IP:    xxx.xx.xxx.x
Authentication:    forwarder
Spam Score:    0
Recipient:    [email protected]
Delivery User:    xxx
Delivery Domain:    xxx.co.nz
Delivered To:    [email protected]
Router:    virtual_user
Transport:    dovecot_virtual_delivery
Out Time:    Feb 9, 2017 9:33:09 AM
ID:    1xxxxx-000xxx-ON
Delivery Host:    localhost
Delivery IP:    127.0.0.1
Size:    577.23 KB
Result:    Accepted

There's nothing wrong with the SPF records for any of the incoming emails' domains. Has anyone seen this problem before?

Thanks

 

[24x7server]

Hi,


Connect/CN=mx.xtra.co.nz": SMTP error from remote mail server after end of data: 550 5.7.1 Message rejected due to SPF policy
--> I am seeing the above line in the logs meaning they are rejected due to SPF policy..

You can test your mail score by testing it . Send in a mail to email ID mention and get the full report Newsletters spam test by mail-tester.com

 

[inspyre]

thanks for your response. as mentioned in my above message, the SPF records appear to be fine, and the issue is happening with multiple senders. also, mail is both being delivered and bounced, oddly

 

[cPanelMichael]

Hello,

Could you provide the output from /var/log/exim_mainlog for one of the affected messages? EX:

exigrep MSGID /var/log/exim_mainlog

Also, could you let us know of any custom Exim SmartHost configuration enabled on this system? You can review /etc/exim.conf.local to see what's enabled. EX:

cat /etc/exim.conf.local

Also, is the Enable Sender Rewriting Scheme (SRS) Support option enabled in WHM Home >> Service Configuration >> Exim Configuration Manager?

Thank you.

 

[inspyre]

Thanks Michael, sorry for the delay in responding.

Having looked through the exim main log myself now, I can see the issue.
The customer had set up a forwarder on their email account, and it was being delivered locally fine, but the forwards failed dependent on the SPF records of the original sender.

Thanks for your time and help!

 

[cPanelMichael]

Hello,

I'm happy to see you were able to determine the cause of the issue. Thank you for updating us with the outcome.