cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

SPF false negative (detected as softfail) - blocked, but header is SPF-Pass

Please see the header from an email that clearly states the SPF - PASS, however these emails are being flagged as SPF Soft Fail and blocked by MSME 8.6.171.1 - WHY?

Received: from server.domain.local (***.***.***.***) by server.domain.local
 (***.***.***.***) with Microsoft SMTP Server (TLS) id 15.1.225.42; Tue, 11 Dec
 2018 11:47:39 +0000
Received: from esa10.hc189626.iphmx.com (216.71.154.109) by
 server.domain.local (***.***.***.***) with Microsoft SMTP Server (TLS) id
 15.1.225.42 via Frontend Transport; Tue, 11 Dec 2018 11:47:38 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
  d=someonesdomain.com; i=@someonesdomain.com; q=dns/txt;
  s=ces; t=1544528859; x=1576064859;
  h=from:to:cc:subject:date:message-id:mime-version;
  bh=Kuw7Tw+VIvozOD/bhNrQYxU86NP1U1KIBU43vd3T+ls=;
  b=FhUF0WaSoSZl6wcGY29f5EldmohuWBbTgz57/MSx314LT9ogdHBvmtPw
   t81MKe9xkZemCtfsnicKOjpO+X/P4MwYD8YpHDSqLuCjBB8xPPVwlXJrm
   fE/9vR+qDTe036YYHR50CylWcnfhmV0rR5deka1y+xFwWK+yO1OILVeqI
   I=;
X-IronPort-AV: E=Sophos;i="5.56,342,1539644400"; 
   d="jpg'145?scan'145,208,217,145";a="24201069"
X-Amp-Result: UNKNOWN
X-Amp-Original-Verdict: FILE UNKNOWN
X-Amp-File-Uploaded: False
Received: from unknown (HELO interceptor2.na.ngrid.net) ([129.33.202.197])
  by esa10.hc189626.iphmx.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 11 Dec 2018 11:47:35 +0000
Received: from outlook-int.someonesdomain.com ([10.234.240.81]) by interceptor2.na.ngrid.net (RSA Interceptor) for <R.Strode@ourdomain.co.uk>; Tue, 11 Dec 2018 06:47:47 -0500
Received: from NAM05-CO1-obe.outbound.protection.outlook.com (10.234.240.176)
 by outlook-int.someonesdomain.com (10.234.240.81) with Microsoft SMTP Server
 (TLS) id 14.3.399.0; Tue, 11 Dec 2018 06:47:22 -0500
Received: from SN6PR01MB5134.prod.exchangelabs.com (52.135.109.83) by
 SN6PR01MB4734.prod.exchangelabs.com (52.135.124.225) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.1404.17; Tue, 11 Dec 2018 11:47:20 +0000
Received: from SN6PR01MB5134.prod.exchangelabs.com
 ([fe80::44c4:314b:b2b4:dc08]) by SN6PR01MB5134.prod.exchangelabs.com
 ([fe80::44c4:314b:b2b4:dc08%4]) with mapi id 15.20.1404.026; Tue, 11 Dec 2018
 11:47:19 +0000
From: "Fox, Chris" <Chris.Fox@someonesdomain.com>
To: "R.Strode@ourdomain.co.uk" <R.Strode@ourdomain.co.uk>
CC: "Quigg, Darren" <Darren.Quigg@someonesdomain.com>
Subject: Test Send \ National Grid, Ambergate
Thread-Topic: Test Send \ National Grid, Ambergate
Thread-Index: AdSRR0NUwM4PRpC1S8ikC9/KZTE7bA==
Date: Tue, 11 Dec 2018 11:47:19 +0000
Message-ID: <SN6PR01MB51349E5EE04105C164C5F1A88FA60@SN6PR01MB5134.prod.exchangelabs.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [62.189.218.115]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1;SN6PR01MB4734;6:lSYC84EZCrqAgx0+TR6XdhfOtvh0WwS9l1oaNfb2Hj32nzbmUORnAuM1lC2Cmob7dKHdnzOvv2TkDk8jEmEL02atUG9IfBlr2QgB8m6GBHb+fSOId3CV3fuI/Rm9efIuSUyK3L+wV5ERu3eMQipWUaZa3Ki6WJTqApiucvyBcGOu0fB51Amlg1MBxeZ1+f1BSn8p7aI5NFjpEvgJnP431hQmlJFdGWW3vMInoX6GThvVeEnjM0qEs3OxvvsP8fTqoFafH2ymfTBVk3526dmQFNyVlj0QIBavVQPXJRxGKKeLGlbxC2uR9zZg+6nTXmdQK2jOa74INilBCKLmF4UhR6BbO4Vda7hWhts228O3owO6ctJTY3Ui/02GRt5fIzZHuY06FFVhz0HakZ6tpy1DGpQRiZL0TbpUb+wg7cK4lD9/UgETzAce/3/062ZWG4L6sd5g8ROMM12dy4l1a/RaMw==;5:7g9BpDeSWHzhKceU255oaWAIf9UrpGgcKMGxewaE8WJ/UPXlR8NsUaS4Iii7RwgmZ4kMa+0+KezEvsK/nYIBmNghXsLfWK64CNyEqo/YfFV6O44e5pRcxIkcb0pdgQz4nPy6ZUHSypmid7rJDz6IXxGkR/yFWKskazaMqfAQ0TQ=;7:VgTOQv1xMUAKQuoG4T7z0fjv7FmgnPGNDJL3ESZ0VijOzh0juIKKByUqjwnua0wJwjY9EV6bH7Y7vCUAkYF6q61QKTJqlTG3wqs6VmlerMNrD0db9JsjWl5uPniIUOdljUvlFDtc95Fz0J03T+xgSw==
x-ms-exchange-antispam-srfa-diagnostics: SOS;SOR;
x-ms-office365-filtering-correlation-id: d00c1741-df71-4046-2a07-08d65f5e681b
x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390098)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7153060)(49563074)(7193020);SRVR:SN6PR01MB4734;
x-ms-traffictypediagnostic: SN6PR01MB4734:
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=Chris.Fox@someonesdomain.com; 
x-microsoft-antispam-prvs: <SN6PR01MB4734087354563EA8023C2B5A8FA60@SN6PR01MB4734.prod.exchangelabs.com>
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(3230017)(999002)(102415395)(6040522)(2401047)(5005006)(8121501046)(93006095)(93001095)(10201501046)(3002001)(3231472)(944501520)(4983020)(52105112)(148016)(149066)(150057)(6041310)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123562045)(20161123558120)(201708071742011)(7699051)(76991095);SRVR:SN6PR01MB4734;BCL:0;PCL:0;RULEID:;SRVR:SN6PR01MB4734;
x-forefront-prvs: 08831F51DC
x-forefront-antispam-report: SFV:NSPM;SFS:(10009020)(346002)(376002)(396003)(39860400002)(366004)(136003)(189003)(199004)(97736004)(9686003)(53936002)(5640700003)(81156014)(81166006)(2906002)(2351001)(8936002)(7736002)(106356001)(606006)(74316002)(5660300001)(861006)(72206003)(6436002)(71190400001)(71200400001)(55016002)(86362001)(99936001)(8676002)(25786009)(966005)(478600001)(316002)(102836004)(68736007)(66066001)(2501003)(107886003)(486006)(5024004)(66574011)(6916009)(33656002)(6506007)(186003)(236005)(14444005)(4326008)(54896002)(3846002)(6116002)(10126004)(790700001)(256004)(14454004)(733005)(105586002)(6306002)(7696005)(99286004)(54556002)(26005)(476003);DIR:OUT;SFP:1101;SCL:1;SRVR:SN6PR01MB4734;H:SN6PR01MB5134.prod.exchangelabs.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1;
x-microsoft-antispam-message-info: ZY7kpxcU4RagG9RlOvuo2E4Gysc3CMLspNYW3xGHr8VUJrlLUxUsF/ScHKHY9HA8xtmJti9tYKhIgSwfESqhbIhFCE1q1JIiq5mWuoZMvaqV5fUCL729cZRSJPwqAL4sFF7QoMzuMcryqKqXnsDZPwRgeMGQynO5ntuPw1Sea+PNxnCI1Z4s2UHc8w6QM7CtK5pJL9fWmQvPx1utiBTe6NyJuuARdm8928tVieJnbHKHojZYiERjbYHA0itXRsJj5barjDGp8E0+YefhlKoQ5kvj/2s1r8eHQektpvtPfECKOeyuF7JOtQyd83YJl6oM
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/related;
	boundary="_004_SN6PR01MB51349E5EE04105C164C5F1A88FA60SN6PR01MB5134prod_";
	type="multipart/alternative"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: d00c1741-df71-4046-2a07-08d65f5e681b
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Dec 2018 11:47:19.6548
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f98a6a53-25f3-4212-901c-c7787fcd3495
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR01MB4734
Return-Path: Chris.Fox@someonesdomain.com
X-MS-Exchange-Organization-OriginalArrivalTime: 11 Dec 2018 11:47:38.6988
 (UTC)
X-MS-Exchange-Forest-ArrivalHubServer: server.domain.local
X-MS-Exchange-Organization-Network-Message-Id: 62df02c0-725d-44b5-02a2-08d65f5e73bc
X-MS-Exchange-Organization-OriginalClientIPAddress: 216.71.154.109
X-MS-Exchange-Organization-OriginalServerIPAddress: ***.***.***.***
X-MS-Exchange-Organization-Cross-Premises-Headers-Processed: server.domain.local
X-MS-Exchange-Organization-OrderedPrecisionLatencyInProgress: LSRV=server.domain.local:TOTAL-FE=0.593|SMR=0.599(SMRPI=0.008(SMRPI-FrontendProxyAgent=0.008));2018-12-11T11:47:39.292Z
X-MS-Exchange-Organization-AuthSource: server.domain.local
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-FromEntityHeader: Internet
X-MS-Exchange-Organization-PRD: someonesdomain.com
X-MS-Exchange-Organization-SenderIdResult: Pass
Received-SPF: Pass (server.domain.local: domain of
 Chris.Fox@someonesdomain.com designates 216.71.154.109 as permitted sender)
 receiver=server.domain.local; client-ip=216.71.154.109;
 helo=esa10.hc189626.iphmx.com;
Labels (3)
3 Replies
Highlighted

Re: SPF false negative (detected as softfail) - blocked, but header is SPF-Pass

possible addtional information that could be causeing the problem as Mcafee doesnt understand how to read and spf entry with code to construct and arbitrary hostname for a DNS query.


this is the mx record from the domain in question where we are receving the email but is being detected as spf:softfail incorrectly.

v=spf1 include:spf-c.usa.striata.com include:email.opower.com include:spf.protection.outlook.com include:servers.mcsv.net exists:%{i}.spf.hc189626.iphmx.com ~all

NOTE: last entry "exists:", its valid when checking on mxtoolbox, but im wondering if mcafee doesnt understand?

Highlighted

Re: SPF false negative (detected as softfail) - blocked, but header is SPF-Pass

Hi,

 

I have the same problem. 

Received-SPF: Pass (xxxxxxxxxxx: domain of noreply@salesforce.com
designates xxxxxxxxxxxx as permitted sender) receiver=xxxxxxxxxxxxxxxx;
client-ip=xxxxxxxxxxxx; helo=xxxxxxxxxxx;

Did you got the chance to sort it out?

 

Thanks

Highlighted

Re: SPF false negative (detected as softfail) - blocked, but header is SPF-Pass

sort of, I ended up managing to email meg_falsepositives@mcafeesubmissions.com I included one of the headers in full as well as a screenshot of the detected items showing this email as captured as SPF softfail.

They emailed me back within a few days and said it was resolved. but they didn't go into any details.

I replied requesting information of what if any things I need to do my end, like update or whitelist. but I'm yet to get a response from this email.

 

I have just downloaded the latest patch and hotfixes for MSME from Mcafee online product downloads using my grant number as login. so not sure if that will help as well, although I was already fairly up to date.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community