Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- McAfee Support Community
- :
- Enterprise Support
- :
- Email and Web Security
- :
- Email Security for Exchange/Domino
- :
- SPF false negative (detected as softfail) - blocke...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
12-11-2018
08:41 AM
SPF false negative (detected as softfail) - blocked, but header is SPF-Pass
Please see the header from an email that clearly states the SPF - PASS, however these emails are being flagged as SPF Soft Fail and blocked by MSME 8.6.171.1 - WHY?
Received: from server.domain.local (***.***.***.***) by server.domain.local (***.***.***.***) with Microsoft SMTP Server (TLS) id 15.1.225.42; Tue, 11 Dec 2018 11:47:39 +0000 Received: from esa10.hc189626.iphmx.com (216.71.154.109) by server.domain.local (***.***.***.***) with Microsoft SMTP Server (TLS) id 15.1.225.42 via Frontend Transport; Tue, 11 Dec 2018 11:47:38 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=someonesdomain.com; i=@someonesdomain.com; q=dns/txt; s=ces; t=1544528859; x=1576064859; h=from:to:cc:subject:date:message-id:mime-version; bh=Kuw7Tw+VIvozOD/bhNrQYxU86NP1U1KIBU43vd3T+ls=; b=FhUF0WaSoSZl6wcGY29f5EldmohuWBbTgz57/MSx314LT9ogdHBvmtPw t81MKe9xkZemCtfsnicKOjpO+X/P4MwYD8YpHDSqLuCjBB8xPPVwlXJrm fE/9vR+qDTe036YYHR50CylWcnfhmV0rR5deka1y+xFwWK+yO1OILVeqI I=; X-IronPort-AV: E=Sophos;i="5.56,342,1539644400"; d="jpg'145?scan'145,208,217,145";a="24201069" X-Amp-Result: UNKNOWN X-Amp-Original-Verdict: FILE UNKNOWN X-Amp-File-Uploaded: False Received: from unknown (HELO interceptor2.na.ngrid.net) ([129.33.202.197]) by esa10.hc189626.iphmx.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 11 Dec 2018 11:47:35 +0000 Received: from outlook-int.someonesdomain.com ([10.234.240.81]) by interceptor2.na.ngrid.net (RSA Interceptor) for <R.Strode@ourdomain.co.uk>; Tue, 11 Dec 2018 06:47:47 -0500 Received: from NAM05-CO1-obe.outbound.protection.outlook.com (10.234.240.176) by outlook-int.someonesdomain.com (10.234.240.81) with Microsoft SMTP Server (TLS) id 14.3.399.0; Tue, 11 Dec 2018 06:47:22 -0500 Received: from SN6PR01MB5134.prod.exchangelabs.com (52.135.109.83) by SN6PR01MB4734.prod.exchangelabs.com (52.135.124.225) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1404.17; Tue, 11 Dec 2018 11:47:20 +0000 Received: from SN6PR01MB5134.prod.exchangelabs.com ([fe80::44c4:314b:b2b4:dc08]) by SN6PR01MB5134.prod.exchangelabs.com ([fe80::44c4:314b:b2b4:dc08%4]) with mapi id 15.20.1404.026; Tue, 11 Dec 2018 11:47:19 +0000 From: "Fox, Chris" <Chris.Fox@someonesdomain.com> To: "R.Strode@ourdomain.co.uk" <R.Strode@ourdomain.co.uk> CC: "Quigg, Darren" <Darren.Quigg@someonesdomain.com> Subject: Test Send \ National Grid, Ambergate Thread-Topic: Test Send \ National Grid, Ambergate Thread-Index: AdSRR0NUwM4PRpC1S8ikC9/KZTE7bA== Date: Tue, 11 Dec 2018 11:47:19 +0000 Message-ID: <SN6PR01MB51349E5EE04105C164C5F1A88FA60@SN6PR01MB5134.prod.exchangelabs.com> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-originating-ip: [62.189.218.115] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;SN6PR01MB4734;6:lSYC84EZCrqAgx0+TR6XdhfOtvh0WwS9l1oaNfb2Hj32nzbmUORnAuM1lC2Cmob7dKHdnzOvv2TkDk8jEmEL02atUG9IfBlr2QgB8m6GBHb+fSOId3CV3fuI/Rm9efIuSUyK3L+wV5ERu3eMQipWUaZa3Ki6WJTqApiucvyBcGOu0fB51Amlg1MBxeZ1+f1BSn8p7aI5NFjpEvgJnP431hQmlJFdGWW3vMInoX6GThvVeEnjM0qEs3OxvvsP8fTqoFafH2ymfTBVk3526dmQFNyVlj0QIBavVQPXJRxGKKeLGlbxC2uR9zZg+6nTXmdQK2jOa74INilBCKLmF4UhR6BbO4Vda7hWhts228O3owO6ctJTY3Ui/02GRt5fIzZHuY06FFVhz0HakZ6tpy1DGpQRiZL0TbpUb+wg7cK4lD9/UgETzAce/3/062ZWG4L6sd5g8ROMM12dy4l1a/RaMw==;5:7g9BpDeSWHzhKceU255oaWAIf9UrpGgcKMGxewaE8WJ/UPXlR8NsUaS4Iii7RwgmZ4kMa+0+KezEvsK/nYIBmNghXsLfWK64CNyEqo/YfFV6O44e5pRcxIkcb0pdgQz4nPy6ZUHSypmid7rJDz6IXxGkR/yFWKskazaMqfAQ0TQ=;7:VgTOQv1xMUAKQuoG4T7z0fjv7FmgnPGNDJL3ESZ0VijOzh0juIKKByUqjwnua0wJwjY9EV6bH7Y7vCUAkYF6q61QKTJqlTG3wqs6VmlerMNrD0db9JsjWl5uPniIUOdljUvlFDtc95Fz0J03T+xgSw== x-ms-exchange-antispam-srfa-diagnostics: SOS;SOR; x-ms-office365-filtering-correlation-id: d00c1741-df71-4046-2a07-08d65f5e681b x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390098)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7153060)(49563074)(7193020);SRVR:SN6PR01MB4734; x-ms-traffictypediagnostic: SN6PR01MB4734: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Chris.Fox@someonesdomain.com; x-microsoft-antispam-prvs: <SN6PR01MB4734087354563EA8023C2B5A8FA60@SN6PR01MB4734.prod.exchangelabs.com> x-ms-exchange-senderadcheck: 1 x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(3230017)(999002)(102415395)(6040522)(2401047)(5005006)(8121501046)(93006095)(93001095)(10201501046)(3002001)(3231472)(944501520)(4983020)(52105112)(148016)(149066)(150057)(6041310)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123562045)(20161123558120)(201708071742011)(7699051)(76991095);SRVR:SN6PR01MB4734;BCL:0;PCL:0;RULEID:;SRVR:SN6PR01MB4734; x-forefront-prvs: 08831F51DC x-forefront-antispam-report: SFV:NSPM;SFS:(10009020)(346002)(376002)(396003)(39860400002)(366004)(136003)(189003)(199004)(97736004)(9686003)(53936002)(5640700003)(81156014)(81166006)(2906002)(2351001)(8936002)(7736002)(106356001)(606006)(74316002)(5660300001)(861006)(72206003)(6436002)(71190400001)(71200400001)(55016002)(86362001)(99936001)(8676002)(25786009)(966005)(478600001)(316002)(102836004)(68736007)(66066001)(2501003)(107886003)(486006)(5024004)(66574011)(6916009)(33656002)(6506007)(186003)(236005)(14444005)(4326008)(54896002)(3846002)(6116002)(10126004)(790700001)(256004)(14454004)(733005)(105586002)(6306002)(7696005)(99286004)(54556002)(26005)(476003);DIR:OUT;SFP:1101;SCL:1;SRVR:SN6PR01MB4734;H:SN6PR01MB5134.prod.exchangelabs.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1; x-microsoft-antispam-message-info: ZY7kpxcU4RagG9RlOvuo2E4Gysc3CMLspNYW3xGHr8VUJrlLUxUsF/ScHKHY9HA8xtmJti9tYKhIgSwfESqhbIhFCE1q1JIiq5mWuoZMvaqV5fUCL729cZRSJPwqAL4sFF7QoMzuMcryqKqXnsDZPwRgeMGQynO5ntuPw1Sea+PNxnCI1Z4s2UHc8w6QM7CtK5pJL9fWmQvPx1utiBTe6NyJuuARdm8928tVieJnbHKHojZYiERjbYHA0itXRsJj5barjDGp8E0+YefhlKoQ5kvj/2s1r8eHQektpvtPfECKOeyuF7JOtQyd83YJl6oM spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: multipart/related; boundary="_004_SN6PR01MB51349E5EE04105C164C5F1A88FA60SN6PR01MB5134prod_"; type="multipart/alternative" MIME-Version: 1.0 X-MS-Exchange-CrossTenant-Network-Message-Id: d00c1741-df71-4046-2a07-08d65f5e681b X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Dec 2018 11:47:19.6548 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: f98a6a53-25f3-4212-901c-c7787fcd3495 X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR01MB4734 Return-Path: Chris.Fox@someonesdomain.com X-MS-Exchange-Organization-OriginalArrivalTime: 11 Dec 2018 11:47:38.6988 (UTC) X-MS-Exchange-Forest-ArrivalHubServer: server.domain.local X-MS-Exchange-Organization-Network-Message-Id: 62df02c0-725d-44b5-02a2-08d65f5e73bc X-MS-Exchange-Organization-OriginalClientIPAddress: 216.71.154.109 X-MS-Exchange-Organization-OriginalServerIPAddress: ***.***.***.*** X-MS-Exchange-Organization-Cross-Premises-Headers-Processed: server.domain.local X-MS-Exchange-Organization-OrderedPrecisionLatencyInProgress: LSRV=server.domain.local:TOTAL-FE=0.593|SMR=0.599(SMRPI=0.008(SMRPI-FrontendProxyAgent=0.008));2018-12-11T11:47:39.292Z X-MS-Exchange-Organization-AuthSource: server.domain.local X-MS-Exchange-Organization-AuthAs: Anonymous X-MS-Exchange-Organization-FromEntityHeader: Internet X-MS-Exchange-Organization-PRD: someonesdomain.com X-MS-Exchange-Organization-SenderIdResult: Pass Received-SPF: Pass (server.domain.local: domain of Chris.Fox@someonesdomain.com designates 216.71.154.109 as permitted sender) receiver=server.domain.local; client-ip=216.71.154.109; helo=esa10.hc189626.iphmx.com;
1 Reply
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
01-17-2019
03:43 AM
Re: SPF false negative (detected as softfail) - blocked, but header is SPF-Pass
possible addtional information that could be causeing the problem as Mcafee doesnt understand how to read and spf entry with code to construct and arbitrary hostname for a DNS query.
this is the mx record from the domain in question where we are receving the email but is being detected as spf:softfail incorrectly.
v=spf1 include:spf-c.usa.striata.com include:email.opower.com include:spf.protection.outlook.com include:servers.mcsv.net exists:%{i}.spf.hc189626.iphmx.com ~all
NOTE: last entry "exists:", its valid when checking on mxtoolbox, but im wondering if mcafee doesnt understand?
More McAfee Tools to Help You
Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center
