cancel
Showing results for 
Search instead for 
Did you mean: 

SPF false negative (detected as softfail) - blocked, but header is SPF-Pass

Please see the header from an email that clearly states the SPF - PASS, however these emails are being flagged as SPF Soft Fail and blocked by MSME 8.6.171.1 - WHY?

Received: from server.domain.local (***.***.***.***) by server.domain.local
 (***.***.***.***) with Microsoft SMTP Server (TLS) id 15.1.225.42; Tue, 11 Dec
 2018 11:47:39 +0000
Received: from esa10.hc189626.iphmx.com (216.71.154.109) by
 server.domain.local (***.***.***.***) with Microsoft SMTP Server (TLS) id
 15.1.225.42 via Frontend Transport; Tue, 11 Dec 2018 11:47:38 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
  d=someonesdomain.com; i=@someonesdomain.com; q=dns/txt;
  s=ces; t=1544528859; x=1576064859;
  h=from:to:cc:subject:date:message-id:mime-version;
  bh=Kuw7Tw+VIvozOD/bhNrQYxU86NP1U1KIBU43vd3T+ls=;
  b=FhUF0WaSoSZl6wcGY29f5EldmohuWBbTgz57/MSx314LT9ogdHBvmtPw
   t81MKe9xkZemCtfsnicKOjpO+X/P4MwYD8YpHDSqLuCjBB8xPPVwlXJrm
   fE/9vR+qDTe036YYHR50CylWcnfhmV0rR5deka1y+xFwWK+yO1OILVeqI
   I=;
X-IronPort-AV: E=Sophos;i="5.56,342,1539644400"; 
   d="jpg'145?scan'145,208,217,145";a="24201069"
X-Amp-Result: UNKNOWN
X-Amp-Original-Verdict: FILE UNKNOWN
X-Amp-File-Uploaded: False
Received: from unknown (HELO interceptor2.na.ngrid.net) ([129.33.202.197])
  by esa10.hc189626.iphmx.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 11 Dec 2018 11:47:35 +0000
Received: from outlook-int.someonesdomain.com ([10.234.240.81]) by interceptor2.na.ngrid.net (RSA Interceptor) for <R.Strode@ourdomain.co.uk>; Tue, 11 Dec 2018 06:47:47 -0500
Received: from NAM05-CO1-obe.outbound.protection.outlook.com (10.234.240.176)
 by outlook-int.someonesdomain.com (10.234.240.81) with Microsoft SMTP Server
 (TLS) id 14.3.399.0; Tue, 11 Dec 2018 06:47:22 -0500
Received: from SN6PR01MB5134.prod.exchangelabs.com (52.135.109.83) by
 SN6PR01MB4734.prod.exchangelabs.com (52.135.124.225) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.1404.17; Tue, 11 Dec 2018 11:47:20 +0000
Received: from SN6PR01MB5134.prod.exchangelabs.com
 ([fe80::44c4:314b:b2b4:dc08]) by SN6PR01MB5134.prod.exchangelabs.com
 ([fe80::44c4:314b:b2b4:dc08%4]) with mapi id 15.20.1404.026; Tue, 11 Dec 2018
 11:47:19 +0000
From: "Fox, Chris" <Chris.Fox@someonesdomain.com>
To: "R.Strode@ourdomain.co.uk" <R.Strode@ourdomain.co.uk>
CC: "Quigg, Darren" <Darren.Quigg@someonesdomain.com>
Subject: Test Send \ National Grid, Ambergate
Thread-Topic: Test Send \ National Grid, Ambergate
Thread-Index: AdSRR0NUwM4PRpC1S8ikC9/KZTE7bA==
Date: Tue, 11 Dec 2018 11:47:19 +0000
Message-ID: <SN6PR01MB51349E5EE04105C164C5F1A88FA60@SN6PR01MB5134.prod.exchangelabs.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [62.189.218.115]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1;SN6PR01MB4734;6:lSYC84EZCrqAgx0+TR6XdhfOtvh0WwS9l1oaNfb2Hj32nzbmUORnAuM1lC2Cmob7dKHdnzOvv2TkDk8jEmEL02atUG9IfBlr2QgB8m6GBHb+fSOId3CV3fuI/Rm9efIuSUyK3L+wV5ERu3eMQipWUaZa3Ki6WJTqApiucvyBcGOu0fB51Amlg1MBxeZ1+f1BSn8p7aI5NFjpEvgJnP431hQmlJFdGWW3vMInoX6GThvVeEnjM0qEs3OxvvsP8fTqoFafH2ymfTBVk3526dmQFNyVlj0QIBavVQPXJRxGKKeLGlbxC2uR9zZg+6nTXmdQK2jOa74INilBCKLmF4UhR6BbO4Vda7hWhts228O3owO6ctJTY3Ui/02GRt5fIzZHuY06FFVhz0HakZ6tpy1DGpQRiZL0TbpUb+wg7cK4lD9/UgETzAce/3/062ZWG4L6sd5g8ROMM12dy4l1a/RaMw==;5:7g9BpDeSWHzhKceU255oaWAIf9UrpGgcKMGxewaE8WJ/UPXlR8NsUaS4Iii7RwgmZ4kMa+0+KezEvsK/nYIBmNghXsLfWK64CNyEqo/YfFV6O44e5pRcxIkcb0pdgQz4nPy6ZUHSypmid7rJDz6IXxGkR/yFWKskazaMqfAQ0TQ=;7:VgTOQv1xMUAKQuoG4T7z0fjv7FmgnPGNDJL3ESZ0VijOzh0juIKKByUqjwnua0wJwjY9EV6bH7Y7vCUAkYF6q61QKTJqlTG3wqs6VmlerMNrD0db9JsjWl5uPniIUOdljUvlFDtc95Fz0J03T+xgSw==
x-ms-exchange-antispam-srfa-diagnostics: SOS;SOR;
x-ms-office365-filtering-correlation-id: d00c1741-df71-4046-2a07-08d65f5e681b
x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390098)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7153060)(49563074)(7193020);SRVR:SN6PR01MB4734;
x-ms-traffictypediagnostic: SN6PR01MB4734:
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=Chris.Fox@someonesdomain.com; 
x-microsoft-antispam-prvs: <SN6PR01MB4734087354563EA8023C2B5A8FA60@SN6PR01MB4734.prod.exchangelabs.com>
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(3230017)(999002)(102415395)(6040522)(2401047)(5005006)(8121501046)(93006095)(93001095)(10201501046)(3002001)(3231472)(944501520)(4983020)(52105112)(148016)(149066)(150057)(6041310)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123562045)(20161123558120)(201708071742011)(7699051)(76991095);SRVR:SN6PR01MB4734;BCL:0;PCL:0;RULEID:;SRVR:SN6PR01MB4734;
x-forefront-prvs: 08831F51DC
x-forefront-antispam-report: SFV:NSPM;SFS:(10009020)(346002)(376002)(396003)(39860400002)(366004)(136003)(189003)(199004)(97736004)(9686003)(53936002)(5640700003)(81156014)(81166006)(2906002)(2351001)(8936002)(7736002)(106356001)(606006)(74316002)(5660300001)(861006)(72206003)(6436002)(71190400001)(71200400001)(55016002)(86362001)(99936001)(8676002)(25786009)(966005)(478600001)(316002)(102836004)(68736007)(66066001)(2501003)(107886003)(486006)(5024004)(66574011)(6916009)(33656002)(6506007)(186003)(236005)(14444005)(4326008)(54896002)(3846002)(6116002)(10126004)(790700001)(256004)(14454004)(733005)(105586002)(6306002)(7696005)(99286004)(54556002)(26005)(476003);DIR:OUT;SFP:1101;SCL:1;SRVR:SN6PR01MB4734;H:SN6PR01MB5134.prod.exchangelabs.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1;
x-microsoft-antispam-message-info: ZY7kpxcU4RagG9RlOvuo2E4Gysc3CMLspNYW3xGHr8VUJrlLUxUsF/ScHKHY9HA8xtmJti9tYKhIgSwfESqhbIhFCE1q1JIiq5mWuoZMvaqV5fUCL729cZRSJPwqAL4sFF7QoMzuMcryqKqXnsDZPwRgeMGQynO5ntuPw1Sea+PNxnCI1Z4s2UHc8w6QM7CtK5pJL9fWmQvPx1utiBTe6NyJuuARdm8928tVieJnbHKHojZYiERjbYHA0itXRsJj5barjDGp8E0+YefhlKoQ5kvj/2s1r8eHQektpvtPfECKOeyuF7JOtQyd83YJl6oM
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/related;
	boundary="_004_SN6PR01MB51349E5EE04105C164C5F1A88FA60SN6PR01MB5134prod_";
	type="multipart/alternative"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: d00c1741-df71-4046-2a07-08d65f5e681b
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Dec 2018 11:47:19.6548
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f98a6a53-25f3-4212-901c-c7787fcd3495
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR01MB4734
Return-Path: Chris.Fox@someonesdomain.com
X-MS-Exchange-Organization-OriginalArrivalTime: 11 Dec 2018 11:47:38.6988
 (UTC)
X-MS-Exchange-Forest-ArrivalHubServer: server.domain.local
X-MS-Exchange-Organization-Network-Message-Id: 62df02c0-725d-44b5-02a2-08d65f5e73bc
X-MS-Exchange-Organization-OriginalClientIPAddress: 216.71.154.109
X-MS-Exchange-Organization-OriginalServerIPAddress: ***.***.***.***
X-MS-Exchange-Organization-Cross-Premises-Headers-Processed: server.domain.local
X-MS-Exchange-Organization-OrderedPrecisionLatencyInProgress: LSRV=server.domain.local:TOTAL-FE=0.593|SMR=0.599(SMRPI=0.008(SMRPI-FrontendProxyAgent=0.008));2018-12-11T11:47:39.292Z
X-MS-Exchange-Organization-AuthSource: server.domain.local
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-FromEntityHeader: Internet
X-MS-Exchange-Organization-PRD: someonesdomain.com
X-MS-Exchange-Organization-SenderIdResult: Pass
Received-SPF: Pass (server.domain.local: domain of
 Chris.Fox@someonesdomain.com designates 216.71.154.109 as permitted sender)
 receiver=server.domain.local; client-ip=216.71.154.109;
 helo=esa10.hc189626.iphmx.com;
Labels (3)
1 Reply

Re: SPF false negative (detected as softfail) - blocked, but header is SPF-Pass

possible addtional information that could be causeing the problem as Mcafee doesnt understand how to read and spf entry with code to construct and arbitrary hostname for a DNS query.


this is the mx record from the domain in question where we are receving the email but is being detected as spf:softfail incorrectly.

v=spf1 include:spf-c.usa.striata.com include:email.opower.com include:spf.protection.outlook.com include:servers.mcsv.net exists:%{i}.spf.hc189626.iphmx.com ~all

NOTE: last entry "exists:", its valid when checking on mxtoolbox, but im wondering if mcafee doesnt understand?

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community