Please see the header from an email that clearly states the SPF - PASS, however these emails are being flagged as SPF Soft Fail and blocked by MSME 8.6.171.1 - WHY?
Received: from server.domain.local (***.***.***.***) by server.domain.local (***.***.***.***) with Microsoft SMTP Server (TLS) id 15.1.225.42; Tue, 11 Dec 2018 11:47:39 +0000 Received: from esa10.hc189626.iphmx.com (216.71.154.109) by server.domain.local (***.***.***.***) with Microsoft SMTP Server (TLS) id 15.1.225.42 via Frontend Transport; Tue, 11 Dec 2018 11:47:38 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=someonesdomain.com; i=@someonesdomain.com; q=dns/txt; s=ces; t=1544528859; x=1576064859; h=from:to:cc:subject:date:message-id:mime-version; bh=Kuw7Tw+VIvozOD/bhNrQYxU86NP1U1KIBU43vd3T+ls=; b=FhUF0WaSoSZl6wcGY29f5EldmohuWBbTgz57/MSx314LT9ogdHBvmtPw t81MKe9xkZemCtfsnicKOjpO+X/P4MwYD8YpHDSqLuCjBB8xPPVwlXJrm fE/9vR+qDTe036YYHR50CylWcnfhmV0rR5deka1y+xFwWK+yO1OILVeqI I=; X-IronPort-AV: E=Sophos;i="5.56,342,1539644400"; d="jpg'145?scan'145,208,217,145";a="24201069" X-Amp-Result: UNKNOWN X-Amp-Original-Verdict: FILE UNKNOWN X-Amp-File-Uploaded: False Received: from unknown (HELO interceptor2.na.ngrid.net) ([129.33.202.197]) by esa10.hc189626.iphmx.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 11 Dec 2018 11:47:35 +0000 Received: from outlook-int.someonesdomain.com ([10.234.240.81]) by interceptor2.na.ngrid.net (RSA Interceptor) for <R.Strode@ourdomain.co.uk>; Tue, 11 Dec 2018 06:47:47 -0500 Received: from NAM05-CO1-obe.outbound.protection.outlook.com (10.234.240.176) by outlook-int.someonesdomain.com (10.234.240.81) with Microsoft SMTP Server (TLS) id 14.3.399.0; Tue, 11 Dec 2018 06:47:22 -0500 Received: from SN6PR01MB5134.prod.exchangelabs.com (52.135.109.83) by SN6PR01MB4734.prod.exchangelabs.com (52.135.124.225) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1404.17; Tue, 11 Dec 2018 11:47:20 +0000 Received: from SN6PR01MB5134.prod.exchangelabs.com ([fe80::44c4:314b:b2b4:dc08]) by SN6PR01MB5134.prod.exchangelabs.com ([fe80::44c4:314b:b2b4:dc08%4]) with mapi id 15.20.1404.026; Tue, 11 Dec 2018 11:47:19 +0000 From: "Fox, Chris" <Chris.Fox@someonesdomain.com> To: "R.Strode@ourdomain.co.uk" <R.Strode@ourdomain.co.uk> CC: "Quigg, Darren" <Darren.Quigg@someonesdomain.com> Subject: Test Send \ National Grid, Ambergate Thread-Topic: Test Send \ National Grid, Ambergate Thread-Index: AdSRR0NUwM4PRpC1S8ikC9/KZTE7bA== Date: Tue, 11 Dec 2018 11:47:19 +0000 Message-ID: <SN6PR01MB51349E5EE04105C164C5F1A88FA60@SN6PR01MB5134.prod.exchangelabs.com> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-originating-ip: [62.189.218.115] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;SN6PR01MB4734;6:lSYC84EZCrqAgx0+TR6XdhfOtvh0WwS9l1oaNfb2Hj32nzbmUORnAuM1lC2Cmob7dKHdnzOvv2TkDk8jEmEL02atUG9IfBlr2QgB8m6GBHb+fSOId3CV3fuI/Rm9efIuSUyK3L+wV5ERu3eMQipWUaZa3Ki6WJTqApiucvyBcGOu0fB51Amlg1MBxeZ1+f1BSn8p7aI5NFjpEvgJnP431hQmlJFdGWW3vMInoX6GThvVeEnjM0qEs3OxvvsP8fTqoFafH2ymfTBVk3526dmQFNyVlj0QIBavVQPXJRxGKKeLGlbxC2uR9zZg+6nTXmdQK2jOa74INilBCKLmF4UhR6BbO4Vda7hWhts228O3owO6ctJTY3Ui/02GRt5fIzZHuY06FFVhz0HakZ6tpy1DGpQRiZL0TbpUb+wg7cK4lD9/UgETzAce/3/062ZWG4L6sd5g8ROMM12dy4l1a/RaMw==;5:7g9BpDeSWHzhKceU255oaWAIf9UrpGgcKMGxewaE8WJ/UPXlR8NsUaS4Iii7RwgmZ4kMa+0+KezEvsK/nYIBmNghXsLfWK64CNyEqo/YfFV6O44e5pRcxIkcb0pdgQz4nPy6ZUHSypmid7rJDz6IXxGkR/yFWKskazaMqfAQ0TQ=;7:VgTOQv1xMUAKQuoG4T7z0fjv7FmgnPGNDJL3ESZ0VijOzh0juIKKByUqjwnua0wJwjY9EV6bH7Y7vCUAkYF6q61QKTJqlTG3wqs6VmlerMNrD0db9JsjWl5uPniIUOdljUvlFDtc95Fz0J03T+xgSw== x-ms-exchange-antispam-srfa-diagnostics: SOS;SOR; x-ms-office365-filtering-correlation-id: d00c1741-df71-4046-2a07-08d65f5e681b x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390098)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7153060)(49563074)(7193020);SRVR:SN6PR01MB4734; x-ms-traffictypediagnostic: SN6PR01MB4734: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Chris.Fox@someonesdomain.com; x-microsoft-antispam-prvs: <SN6PR01MB4734087354563EA8023C2B5A8FA60@SN6PR01MB4734.prod.exchangelabs.com> x-ms-exchange-senderadcheck: 1 x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(3230017)(999002)(102415395)(6040522)(2401047)(5005006)(8121501046)(93006095)(93001095)(10201501046)(3002001)(3231472)(944501520)(4983020)(52105112)(148016)(149066)(150057)(6041310)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123562045)(20161123558120)(201708071742011)(7699051)(76991095);SRVR:SN6PR01MB4734;BCL:0;PCL:0;RULEID:;SRVR:SN6PR01MB4734; x-forefront-prvs: 08831F51DC x-forefront-antispam-report: SFV:NSPM;SFS:(10009020)(346002)(376002)(396003)(39860400002)(366004)(136003)(189003)(199004)(97736004)(9686003)(53936002)(5640700003)(81156014)(81166006)(2906002)(2351001)(8936002)(7736002)(106356001)(606006)(74316002)(5660300001)(861006)(72206003)(6436002)(71190400001)(71200400001)(55016002)(86362001)(99936001)(8676002)(25786009)(966005)(478600001)(316002)(102836004)(68736007)(66066001)(2501003)(107886003)(486006)(5024004)(66574011)(6916009)(33656002)(6506007)(186003)(236005)(14444005)(4326008)(54896002)(3846002)(6116002)(10126004)(790700001)(256004)(14454004)(733005)(105586002)(6306002)(7696005)(99286004)(54556002)(26005)(476003);DIR:OUT;SFP:1101;SCL:1;SRVR:SN6PR01MB4734;H:SN6PR01MB5134.prod.exchangelabs.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1; x-microsoft-antispam-message-info: ZY7kpxcU4RagG9RlOvuo2E4Gysc3CMLspNYW3xGHr8VUJrlLUxUsF/ScHKHY9HA8xtmJti9tYKhIgSwfESqhbIhFCE1q1JIiq5mWuoZMvaqV5fUCL729cZRSJPwqAL4sFF7QoMzuMcryqKqXnsDZPwRgeMGQynO5ntuPw1Sea+PNxnCI1Z4s2UHc8w6QM7CtK5pJL9fWmQvPx1utiBTe6NyJuuARdm8928tVieJnbHKHojZYiERjbYHA0itXRsJj5barjDGp8E0+YefhlKoQ5kvj/2s1r8eHQektpvtPfECKOeyuF7JOtQyd83YJl6oM spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: multipart/related; boundary="_004_SN6PR01MB51349E5EE04105C164C5F1A88FA60SN6PR01MB5134prod_"; type="multipart/alternative" MIME-Version: 1.0 X-MS-Exchange-CrossTenant-Network-Message-Id: d00c1741-df71-4046-2a07-08d65f5e681b X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Dec 2018 11:47:19.6548 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: f98a6a53-25f3-4212-901c-c7787fcd3495 X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR01MB4734 Return-Path: Chris.Fox@someonesdomain.com X-MS-Exchange-Organization-OriginalArrivalTime: 11 Dec 2018 11:47:38.6988 (UTC) X-MS-Exchange-Forest-ArrivalHubServer: server.domain.local X-MS-Exchange-Organization-Network-Message-Id: 62df02c0-725d-44b5-02a2-08d65f5e73bc X-MS-Exchange-Organization-OriginalClientIPAddress: 216.71.154.109 X-MS-Exchange-Organization-OriginalServerIPAddress: ***.***.***.*** X-MS-Exchange-Organization-Cross-Premises-Headers-Processed: server.domain.local X-MS-Exchange-Organization-OrderedPrecisionLatencyInProgress: LSRV=server.domain.local:TOTAL-FE=0.593|SMR=0.599(SMRPI=0.008(SMRPI-FrontendProxyAgent=0.008));2018-12-11T11:47:39.292Z X-MS-Exchange-Organization-AuthSource: server.domain.local X-MS-Exchange-Organization-AuthAs: Anonymous X-MS-Exchange-Organization-FromEntityHeader: Internet X-MS-Exchange-Organization-PRD: someonesdomain.com X-MS-Exchange-Organization-SenderIdResult: Pass Received-SPF: Pass (server.domain.local: domain of Chris.Fox@someonesdomain.com designates 216.71.154.109 as permitted sender) receiver=server.domain.local; client-ip=216.71.154.109; helo=esa10.hc189626.iphmx.com;
possible addtional information that could be causeing the problem as Mcafee doesnt understand how to read and spf entry with code to construct and arbitrary hostname for a DNS query.
this is the mx record from the domain in question where we are receving the email but is being detected as spf:softfail incorrectly.
v=spf1 include:spf-c.usa.striata.com include:email.opower.com include:spf.protection.outlook.com include:servers.mcsv.net exists:%{i}.spf.hc189626.iphmx.com ~all
NOTE: last entry "exists:", its valid when checking on mxtoolbox, but im wondering if mcafee doesnt understand?
Hi,
I have the same problem.
Received-SPF: Pass (xxxxxxxxxxx: domain of noreply@salesforce.com
designates xxxxxxxxxxxx as permitted sender) receiver=xxxxxxxxxxxxxxxx;
client-ip=xxxxxxxxxxxx; helo=xxxxxxxxxxx;
Did you got the chance to sort it out?
Thanks
sort of, I ended up managing to email meg_falsepositives@mcafeesubmissions.com I included one of the headers in full as well as a screenshot of the detected items showing this email as captured as SPF softfail.
They emailed me back within a few days and said it was resolved. but they didn't go into any details.
I replied requesting information of what if any things I need to do my end, like update or whitelist. but I'm yet to get a response from this email.
I have just downloaded the latest patch and hotfixes for MSME from Mcafee online product downloads using my grant number as login. so not sure if that will help as well, although I was already fairly up to date.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA