Email Security.cloud

Hi,

I have implemented SPF as per the symantec guidance but get failures when the host is mail2.bemta26.messagelabs.com or any others that start with mail2 (mail2.*.messagelabs.com). When the host starts with mail1 I have no issues.

SPF record

v=spf1 a:cluster1.uk.messagelabs.com include:spf.messagelabs.com a:cluster1a.uk.messagelabs.com  ~all

Hi Robert,

 

Can you please provide some sample logs of failed emails for further review ? Also please correct your SPF record to the following, the include statement has all the servers responsible for sending emails from our side.

v=spf1 include:spf.messagelabs.com ~all

 

Regards,

Mohammad F

Hi Robert

Looking at the SPF record you've provided it only includes parts of the Symantec.Cloud infrastructure.

To inlcude all of our infrastructure you should include this: v=spf1 include:spf.messagelabs.com ~all

You can see a full guide here:

https://support.symantec.com/en_US/article.TECH226211.html

Regards

Ian Tiller

Tier 2 Senior Technical Support Engineer

Mohammad / Ian,

My SPF record already contains include:spf.messagelabs.com already, why are suggesting this change?

Where do I send the sample logs to as I would rather not upload them to a public site?

Regards,

Rob

Hi Rob. I have exactly the same issue. DMARC Pass, DKIM pass, SPF fail, DKIM Auth is correct. Only happens on  mail2 messagelabs. 

v=spf1 include:amazonses.com include:spf.messagelabs.com -all
Original Message:
Sent: Jul 02, 2018 12:10 PM
From: Robert Pattterson
Subject: SPF failures when host name starts mail2.*.messagelabs.com

 

Mohammad / Ian / (Symantec),

I send the sample logs to you as a Private Message on 27th June as I would rather not upload them to a public site. You can see that Google, Btinternet, Yahoo and AOL are all showing SPF failures for hosts starting mail2. When can I have a response please ?

Regards,

Rob

Hi,

That is odd. Sorry to hear it's happening. Could you by any chance provide privately information to locate some of these emails (sender, recipient, date), as well as full headers of some of these emails as received (from gmail, yahoo, etc). Sent within the past 7 days.
thanks
Roberto

Original Message:
Sent: Apr 20, 2022 11:14 AM
From: AdrianAston AdrianAston
Subject: SPF failures when host name starts mail2.*.messagelabs.com

Hi Rob. I have exactly the same issue. DMARC Pass, DKIM pass, SPF fail, DKIM Auth is correct. Only happens on  mail2 messagelabs.

v=spf1 include:amazonses.com include:spf.messagelabs.com -all
Original Message:
Sent: Jul 02, 2018 12:10 PM
From: Robert Pattterson
Subject: SPF failures when host name starts mail2.*.messagelabs.com

 

Mohammad / Ian / (Symantec),

I send the sample logs to you as a Private Message on 27th June as I would rather not upload them to a public site. You can see that Google, Btinternet, Yahoo and AOL are all showing SPF failures for hosts starting mail2. When can I have a response please ?

Regards,

Rob

Hi Roberto
How would I find out that information? I am using https://app.glockapps.com/dmarc-monitor to view my DMARC results. 
It shows Sending IP, DMARC, DKIM, SPF, Header from, SPF Domain, SPF auth, DKIM Domain etc. You can't identify individual emails.

The occasional SPF failure seems to be where some email services forward on to a different one so it changes the IP address of the sender. 

However, most of the failures are mail2.bemta3*.messagemabs.com which should be covered by my SPF record as mail1.bemta..... pass fine.

Original Message:
Sent: Apr 22, 2022 07:54 AM
From: Roberto Monteiro
Subject: SPF failures when host name starts mail2.*.messagelabs.com

Hi,

That is odd. Sorry to hear it's happening. Could you by any chance provide privately information to locate some of these emails (sender, recipient, date), as well as full headers of some of these emails as received (from gmail, yahoo, etc). Sent within the past 7 days.
thanks
Roberto

Original Message:
Sent: Apr 20, 2022 11:14 AM
From: AdrianAston AdrianAston
Subject: SPF failures when host name starts mail2.*.messagelabs.com

Hi Rob. I have exactly the same issue. DMARC Pass, DKIM pass, SPF fail, DKIM Auth is correct. Only happens on  mail2 messagelabs.

v=spf1 include:amazonses.com include:spf.messagelabs.com -all
Original Message:
Sent: Jul 02, 2018 12:10 PM
From: Robert Pattterson
Subject: SPF failures when host name starts mail2.*.messagelabs.com

 

Mohammad / Ian / (Symantec),

I send the sample logs to you as a Private Message on 27th June as I would rather not upload them to a public site. You can see that Google, Btinternet, Yahoo and AOL are all showing SPF failures for hosts starting mail2. When can I have a response please ?

Regards,

Rob

Emails can suffer quite a good deal of changes on their journey, we are aware recipients that do 2nd level checks of the records, that is, after the first receiving hop on their end, checks which will always result in failure.

With the base information from DMARC reports, you'd need to reverse it and use it to find the actual email in your mailbox, or enough information to ask to a known recipient for the emails details.

Most of the failures could be for example NDRs or OoO replies, since they lack an env-sender there's SPF check to be executed, and due the missing sender it wouldn't have a DKIM signature attached either, as such any DMARC checks against these emails would result in failure.
Original Message:
Sent: Apr 22, 2022 08:53 AM
From: AdrianAston AdrianAston
Subject: SPF failures when host name starts mail2.*.messagelabs.com

Hi Roberto
How would I find out that information? I am using https://app.glockapps.com/dmarc-monitor to view my DMARC results.
It shows Sending IP, DMARC, DKIM, SPF, Header from, SPF Domain, SPF auth, DKIM Domain etc. You can't identify individual emails.

The occasional SPF failure seems to be where some email services forward on to a different one so it changes the IP address of the sender. 

However, most of the failures are mail2.bemta3*.messagemabs.com which should be covered by my SPF record as mail1.bemta..... pass fine.

Original Message:
Sent: Apr 22, 2022 07:54 AM
From: Roberto Monteiro
Subject: SPF failures when host name starts mail2.*.messagelabs.com

Hi,

That is odd. Sorry to hear it's happening. Could you by any chance provide privately information to locate some of these emails (sender, recipient, date), as well as full headers of some of these emails as received (from gmail, yahoo, etc). Sent within the past 7 days.
thanks
Roberto

Original Message:
Sent: Apr 20, 2022 11:14 AM
From: AdrianAston AdrianAston
Subject: SPF failures when host name starts mail2.*.messagelabs.com

Hi Rob. I have exactly the same issue. DMARC Pass, DKIM pass, SPF fail, DKIM Auth is correct. Only happens on  mail2 messagelabs.

v=spf1 include:amazonses.com include:spf.messagelabs.com -all
Original Message:
Sent: Jul 02, 2018 12:10 PM
From: Robert Pattterson
Subject: SPF failures when host name starts mail2.*.messagelabs.com

 

Mohammad / Ian / (Symantec),

I send the sample logs to you as a Private Message on 27th June as I would rather not upload them to a public site. You can see that Google, Btinternet, Yahoo and AOL are all showing SPF failures for hosts starting mail2. When can I have a response please ?

Regards,

Rob