cancel
Showing results for 
Search instead for 
Did you mean: 
MartinStockwell
Not applicable
Report Inappropriate Content
Message 1 of 2

SPF false negative (detected as softfail) - blocked, but header is SPF-Pass

Please see the header from an email that clearly states the SPF - PASS, however these emails are being flagged as SPF Soft Fail and blocked by MSME 8.6.171.1 - WHY?

Received: from server.domain.local (***.***.***.***) by server.domain.local
 (***.***.***.***) with Microsoft SMTP Server (TLS) id 15.1.225.42; Tue, 11 Dec
 2018 11:47:39 +0000
Received: from esa10.hc189626.iphmx.com (216.71.154.109) by
 server.domain.local (***.***.***.***) with Microsoft SMTP Server (TLS) id
 15.1.225.42 via Frontend Transport; Tue, 11 Dec 2018 11:47:38 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
  d=someonesdomain.com; i=@someonesdomain.com; q=dns/txt;
  s=ces; t=1544528859; x=1576064859;
  h=from:to:cc:subject:date:message-id:mime-version;
  bh=Kuw7Tw+VIvozOD/bhNrQYxU86NP1U1KIBU43vd3T+ls=;
  b=FhUF0WaSoSZl6wcGY29f5EldmohuWBbTgz57/MSx314LT9ogdHBvmtPw
   t81MKe9xkZemCtfsnicKOjpO+X/P4MwYD8YpHDSqLuCjBB8xPPVwlXJrm
   fE/9vR+qDTe036YYHR50CylWcnfhmV0rR5deka1y+xFwWK+yO1OILVeqI
   I=;
X-IronPort-AV: E=Sophos;i="5.56,342,1539644400"; 
   d="jpg'145?scan'145,208,217,145";a="24201069"
X-Amp-Result: UNKNOWN
X-Amp-Original-Verdict: FILE UNKNOWN
X-Amp-File-Uploaded: False
Received: from unknown (HELO interceptor2.na.ngrid.net) ([129.33.202.197])
  by esa10.hc189626.iphmx.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 11 Dec 2018 11:47:35 +0000
Received: from outlook-int.someonesdomain.com ([10.234.240.81]) by interceptor2.na.ngrid.net (RSA Interceptor) for <R.Strode@ourdomain.co.uk>; Tue, 11 Dec 2018 06:47:47 -0500
Received: from NAM05-CO1-obe.outbound.protection.outlook.com (10.234.240.176)
 by outlook-int.someonesdomain.com (10.234.240.81) with Microsoft SMTP Server
 (TLS) id 14.3.399.0; Tue, 11 Dec 2018 06:47:22 -0500
Received: from SN6PR01MB5134.prod.exchangelabs.com (52.135.109.83) by
 SN6PR01MB4734.prod.exchangelabs.com (52.135.124.225) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.1404.17; Tue, 11 Dec 2018 11:47:20 +0000
Received: from SN6PR01MB5134.prod.exchangelabs.com
 ([fe80::44c4:314b:b2b4:dc08]) by SN6PR01MB5134.prod.exchangelabs.com
 ([fe80::44c4:314b:b2b4:dc08%4]) with mapi id 15.20.1404.026; Tue, 11 Dec 2018
 11:47:19 +0000
From: "Fox, Chris" <Chris.Fox@someonesdomain.com>
To: "R.Strode@ourdomain.co.uk" <R.Strode@ourdomain.co.uk>
CC: "Quigg, Darren" <Darren.Quigg@someonesdomain.com>
Subject: Test Send \ National Grid, Ambergate
Thread-Topic: Test Send \ National Grid, Ambergate
Thread-Index: AdSRR0NUwM4PRpC1S8ikC9/KZTE7bA==
Date: Tue, 11 Dec 2018 11:47:19 +0000
Message-ID: <SN6PR01MB51349E5EE04105C164C5F1A88FA60@SN6PR01MB5134.prod.exchangelabs.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [62.189.218.115]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1;SN6PR01MB4734;6:lSYC84EZCrqAgx0+TR6XdhfOtvh0WwS9l1oaNfb2Hj32nzbmUORnAuM1lC2Cmob7dKHdnzOvv2TkDk8jEmEL02atUG9IfBlr2QgB8m6GBHb+fSOId3CV3fuI/Rm9efIuSUyK3L+wV5ERu3eMQipWUaZa3Ki6WJTqApiucvyBcGOu0fB51Amlg1MBxeZ1+f1BSn8p7aI5NFjpEvgJnP431hQmlJFdGWW3vMInoX6GThvVeEnjM0qEs3OxvvsP8fTqoFafH2ymfTBVk3526dmQFNyVlj0QIBavVQPXJRxGKKeLGlbxC2uR9zZg+6nTXmdQK2jOa74INilBCKLmF4UhR6BbO4Vda7hWhts228O3owO6ctJTY3Ui/02GRt5fIzZHuY06FFVhz0HakZ6tpy1DGpQRiZL0TbpUb+wg7cK4lD9/UgETzAce/3/062ZWG4L6sd5g8ROMM12dy4l1a/RaMw==;5:7g9BpDeSWHzhKceU255oaWAIf9UrpGgcKMGxewaE8WJ/UPXlR8NsUaS4Iii7RwgmZ4kMa+0+KezEvsK/nYIBmNghXsLfWK64CNyEqo/YfFV6O44e5pRcxIkcb0pdgQz4nPy6ZUHSypmid7rJDz6IXxGkR/yFWKskazaMqfAQ0TQ=;7:VgTOQv1xMUAKQuoG4T7z0fjv7FmgnPGNDJL3ESZ0VijOzh0juIKKByUqjwnua0wJwjY9EV6bH7Y7vCUAkYF6q61QKTJqlTG3wqs6VmlerMNrD0db9JsjWl5uPniIUOdljUvlFDtc95Fz0J03T+xgSw==
x-ms-exchange-antispam-srfa-diagnostics: SOS;SOR;
x-ms-office365-filtering-correlation-id: d00c1741-df71-4046-2a07-08d65f5e681b
x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390098)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7153060)(49563074)(7193020);SRVR:SN6PR01MB4734;
x-ms-traffictypediagnostic: SN6PR01MB4734:
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=Chris.Fox@someonesdomain.com; 
x-microsoft-antispam-prvs: <SN6PR01MB4734087354563EA8023C2B5A8FA60@SN6PR01MB4734.prod.exchangelabs.com>
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(3230017)(999002)(102415395)(6040522)(2401047)(5005006)(8121501046)(93006095)(93001095)(10201501046)(3002001)(3231472)(944501520)(4983020)(52105112)(148016)(149066)(150057)(6041310)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123562045)(20161123558120)(201708071742011)(7699051)(76991095);SRVR:SN6PR01MB4734;BCL:0;PCL:0;RULEID:;SRVR:SN6PR01MB4734;
x-forefront-prvs: 08831F51DC
x-forefront-antispam-report: SFV:NSPM;SFS:(10009020)(346002)(376002)(396003)(39860400002)(366004)(136003)(189003)(199004)(97736004)(9686003)(53936002)(5640700003)(81156014)(81166006)(2906002)(2351001)(8936002)(7736002)(106356001)(606006)(74316002)(5660300001)(861006)(72206003)(6436002)(71190400001)(71200400001)(55016002)(86362001)(99936001)(8676002)(25786009)(966005)(478600001)(316002)(102836004)(68736007)(66066001)(2501003)(107886003)(486006)(5024004)(66574011)(6916009)(33656002)(6506007)(186003)(236005)(14444005)(4326008)(54896002)(3846002)(6116002)(10126004)(790700001)(256004)(14454004)(733005)(105586002)(6306002)(7696005)(99286004)(54556002)(26005)(476003);DIR:OUT;SFP:1101;SCL:1;SRVR:SN6PR01MB4734;H:SN6PR01MB5134.prod.exchangelabs.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1;
x-microsoft-antispam-message-info: ZY7kpxcU4RagG9RlOvuo2E4Gysc3CMLspNYW3xGHr8VUJrlLUxUsF/ScHKHY9HA8xtmJti9tYKhIgSwfESqhbIhFCE1q1JIiq5mWuoZMvaqV5fUCL729cZRSJPwqAL4sFF7QoMzuMcryqKqXnsDZPwRgeMGQynO5ntuPw1Sea+PNxnCI1Z4s2UHc8w6QM7CtK5pJL9fWmQvPx1utiBTe6NyJuuARdm8928tVieJnbHKHojZYiERjbYHA0itXRsJj5barjDGp8E0+YefhlKoQ5kvj/2s1r8eHQektpvtPfECKOeyuF7JOtQyd83YJl6oM
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/related;
	boundary="_004_SN6PR01MB51349E5EE04105C164C5F1A88FA60SN6PR01MB5134prod_";
	type="multipart/alternative"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: d00c1741-df71-4046-2a07-08d65f5e681b
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Dec 2018 11:47:19.6548
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f98a6a53-25f3-4212-901c-c7787fcd3495
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR01MB4734
Return-Path: Chris.Fox@someonesdomain.com
X-MS-Exchange-Organization-OriginalArrivalTime: 11 Dec 2018 11:47:38.6988
 (UTC)
X-MS-Exchange-Forest-ArrivalHubServer: server.domain.local
X-MS-Exchange-Organization-Network-Message-Id: 62df02c0-725d-44b5-02a2-08d65f5e73bc
X-MS-Exchange-Organization-OriginalClientIPAddress: 216.71.154.109
X-MS-Exchange-Organization-OriginalServerIPAddress: ***.***.***.***
X-MS-Exchange-Organization-Cross-Premises-Headers-Processed: server.domain.local
X-MS-Exchange-Organization-OrderedPrecisionLatencyInProgress: LSRV=server.domain.local:TOTAL-FE=0.593|SMR=0.599(SMRPI=0.008(SMRPI-FrontendProxyAgent=0.008));2018-12-11T11:47:39.292Z
X-MS-Exchange-Organization-AuthSource: server.domain.local
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-FromEntityHeader: Internet
X-MS-Exchange-Organization-PRD: someonesdomain.com
X-MS-Exchange-Organization-SenderIdResult: Pass
Received-SPF: Pass (server.domain.local: domain of
 Chris.Fox@someonesdomain.com designates 216.71.154.109 as permitted sender)
 receiver=server.domain.local; client-ip=216.71.154.109;
 helo=esa10.hc189626.iphmx.com;
Labels (3)
1 Reply
MartinStockwell
Not applicable
Report Inappropriate Content
Message 2 of 2

Re: SPF false negative (detected as softfail) - blocked, but header is SPF-Pass

possible addtional information that could be causeing the problem as Mcafee doesnt understand how to read and spf entry with code to construct and arbitrary hostname for a DNS query.


this is the mx record from the domain in question where we are receving the email but is being detected as spf:softfail incorrectly.

v=spf1 include:spf-c.usa.striata.com include:email.opower.com include:spf.protection.outlook.com include:servers.mcsv.net exists:%{i}.spf.hc189626.iphmx.com ~all

NOTE: last entry "exists:", its valid when checking on mxtoolbox, but im wondering if mcafee doesnt understand?

McAfee ePO Support Center Plug-in
Check out the new McAfee ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.