On Thu, Aug 12, 2010 at 4:04 PM, John Hornbuckle <john.hornbuc...@taylor.k12.fl.us> wrote: > Yeah, I've talked to their admin. He's sort of like me--Jack of all trades, > master > of none. Doesn't seem to know much more about SPF than I do, so he's not > able to determine specifically why they're blocking us.
Eh, what? He doesn't know why his own systems are blocking you? >facepalm< > By your description, the "none" may not be a problem. Hard to say. Some systems do check where mail is coming from, to see if the sending MX can also accept mail. While that seems like a reasonable thing to do, in practice large operators often have separate inbound vs outbound MXes, and there's nothing in the RFCs (that I'm aware of) which prohibits that. So if the magical gremlin which lives in the other admin's system (the one responsible for rejecting your mail) is doing such a check, it could be the source of trouble. Your SPF record certainly allows mail from the 74.125.149.209 IP address. That said, in a large system like Postini, there's no guarantee that outbound mail will consistently originate from the same IP address. I do note one irregularity in your SPF record. Your SPF record says, in part: mx mx:exchange-edge.taylor.k12.fl.us The "mx" directive means "All the IP addresses associated with all the MX records associated with the given domain. If no domain is given, use the domain of the sender." So the first "mx" directive, with no domain given, looks at <taylor.k12.fl.us.>, which is fine. There are MX records there. The second "mx" directive says to do an MX lookup on <mx:exchange-edge.taylor.k12.fl.us.>. There are no MX records associated with that domain. The only record appears to be an A record. SPF explicitly prohibits "implicit MX", so that directive will never match. The SPF evaluation *should* move on to the next directive, but maybe someone's SPF implementation is stopping there. I presume what you meant by <mx:exchange-edge.taylor.k12.fl.us> is that your Exchange edge server is permitted to send mail. If so, the syntax should be <a:exchange-edge.taylor.k12.fl.us> (without the chevrons). The "a" directive means "All the IP addresses associated with the given domain." You should probabbly fix that, even if it's not the cause of the current problem. -- Ben