Multiple SPF records for one domain can cause problems in e-mail delivery

I have found, that on of my customer domains have problem to send messages outside their environment. Some messages got stuck in queue for several hours / days without any reason to do so. SMTP traffic was OK to most of other domains, but some had problem. I suspect, that the reason was more SPF TXT records for single domain. Example: TXT="v=SPF1 mx ~all" TXT="v=SPF1 mx ~all" TXT="v=SPF1 mx ~all"

RFC 4408 stays, that no multiple SPF records should be available:

3.1.2.  Multiple DNS Records: A domain name MUST NOT have multiple records that would cause an
authorization check to select more than one record.  See Section 4.5
for the selection rules.

Explanation is quite logical. If there is more than one SPF record, permanent error is returned.

4.5.  Selecting Records
   Records begin with a version section:
   record           = version terms *SP
   version          = "v=spf1"
   Starting with the set of records that were returned by the lookup,
   record selection proceeds in two steps:
   1. Records that do not begin with a version section of exactly
      "v=spf1" are discarded.  Note that the version section is
      terminated either by an SP character or the end of the record.  A
      record with a version section of "v=spf10" does not match and must
      be discarded.

   2. If any records of type SPF are in the set, then all records of
      type TXT are discarded.
   After the above steps, there should be exactly one record remaining
   and evaluation can proceed.  If there are two or more records
   remaining, then check_host() exits immediately with the result of
   If no matching records are returned, an SPF client MUST assume that
   the domain makes no SPF declarations.  SPF processing MUST stop and
   return "None".

Well. The cause of this “implementation” is, that some messages from domain containing wrong SPF record to domain with SPF check might be lost (-All) or delayed. I am going to investigate this further. If you have some experience with similar problem, please let me know.

Exchange 2010/2013 noreply e-mail solution

I have recently came accross the problem. One of my customers had wrong setting of no reply e-mail address and messages got lost between on-premise hub transport servers and Symantec cloud in the way, that it appeared message has been sent successfully, but dropped on Symantec side without notification.

Wrong settings:

All noreply email addresses has been set in MailContact object as follows:, …. and ExternalEmailAddress:

It means that all messages outside the company send from, aliases has been sent with ReturnPath and due to same reason (non existing domain and recipient) messages were dropped.

Solution 1:

  • Change External email address of Mail Contact Object to recipient from existing domain
  • Create transport rule to drop messages to this recipient

Solution 2:

From my point of view very ellegant and easy.

  • Remove Mail Contact object
  • Create DL, enable non authenticated senders to send messages to this DL
  • Assign noreply addresses to this DL
  • Use external e-mail address as primary SMTP address
  • Do not add any members to this DL. This step will cause to drop all incoming noreply messages without notifying anyone.


Comodo Antispam Gateway

I was looking for free Antispam GW for my lab and I came accross Comodo Antispam Gateway. It is free for 1 domain and 10 users.

Sign up for free license is here:

Why to use this GW?

  • Easy configuration
  • Access via Admin interface
  • Quarantine, blocklist, whitelist  – all accessible with free license
  • AD synchronization newly created also for free license!

Few screen shots:

Admin interface:


Quarantine settings: Quarantine_settings

Incoming spam detection settings: Spam_detection settings


SMTP certificate renewal and EDGE subscription

I have had to renew SMTP certificate on EDGE servers. Here is the procedure how to renew certificate and re-create Edge subscription. This procedure starts,when CSR is created and we have received certificate from trusted CA.

1. Import new certificate
To import certificate to local certification store run:

import-exchangecertificate -FileData ([byte[]]$(Get-Content -Path "D:\tempo\certificate_mx1_2013.cer" -Encoding Byte -ReadCount 0))

2. Connect pending request to certificate
If step 1 failed to connect certificates together inside certification store run:

certutil -repairstore my "1268f7300044bc90ff426d5f515d3729"

Explanation can be found in my previous article:

3. Enable new Exchange certificate for SMTP service
Before certificate can be used, it must have been enabled for particular services.

Enable-ExchangeCertificate  -services SMTP


[PS] C:\Windows\system32>Enable-ExchangeCertificate 81315B240A62B5B5AD5570AA58A06D90B4B90B7E -Services SMTP

Overwrite the existing default SMTP certificate?

Current certificate: 'C661DC9E16FB391EDA2A852C3514AD035D710F68' (expires 4/27/2013 2:59:59 AM)
Replace it with certificate: '81315B240A62B5B5AD5570AA58A06D90B4B90B7E' (expires 4/28/2014 2:59:59 AM)
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y
WARNING: The internal transport certificate attribute for the local Edge Transport server has been updated. If this
Edge Transport server is subscribed to an Active Directory site, you must  subscribe it again by using the
New-EdgeSubscription cmdlet in the Shell, and then restart AD LDS.
[PS] C:\Windows\system32> 

4. Restart transport service and AD LDS service
At this moment e-mail stop to flow to this EDGE server, because AD LDS is using new certificate and Edge is subscribed via old one.

5. Create subscription file (XML) on Edge server ans copy it to HUB server
We don´t need to create connectors for EDGE Subscription, since those are already created. EDGE must be subscribed to AD site within 24 hours after creation of subscription file.

New-EdgeSubscription -FileName d:\subscription_2013.xml -Site <SITE_NAME> -CreateIternetSendConnector $false -CreateInboundSendConnector $false


[PS] C:\Windows\system32>New-EdgeSubscription -FileName d:\subscription_2013.xml -Site Default-First-Site-Name -CreateIternetSendConnector $false -CreateInboundSendConnector $false

The Edge Subscription should be completed inside your organization within the next "1440" minutes before the bootstrap
account expires.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): y

6. Subscribe EDGE server on HUB by subscription file (XML).
We need to re-create trusted connection between Edge server and HUB servers. Subscribtion needs to be re-created, because AD LDS needs to use new certificate instead of old one. It is enough to subscribe each EDGE server once per subsciption.

New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path "D:\subscription_2013.xml" -Encoding Byte -ReadCount 0)) -Site "Default-First-Site-Name"

7. Restart EDGE server
Just to be sure all settings are applied before tests.

8. Test Edge Subscription
If the test is not successfulm you receive error.

Test-EdgeSynchronization -FullCompareMode

Successful result:

[PS] C:\Windows\system32>Test-EdgeSynchronization -FullCompareMode

RunspaceId                  : 4f4c61e7-1059-43fc-963b-877641087e2a
SyncStatus                  : Normal
UtcNow                      : 4/26/2013 6:43:50 AM
Name                        : EDGE
LeaseHolder                 : CN=HUB2,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrati
                              ve Groups,CN=OR,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=SALONOVI,DC=cz
LeaseType                   : Option
FailureDetail               :
LeaseExpiryUtc              : 4/26/2013 7:12:12 AM
LastSynchronizedUtc         : 4/26/2013 6:42:12 AM
TransportServerStatus       : Synchronized
TransportConfigStatus       : Synchronized
AcceptedDomainStatus        : Synchronized
RemoteDomainStatus          : NotSynchronized
SendConnectorStatus         : Synchronized
MessageClassificationStatus : Synchronized
RecipientStatus             : Synchronized
CredentialRecords           : Number of credentials 6
CookieRecords               : Number of cookies 2

9. Test mailflow

10. To start Edge synchronization manually



[PS] C:\Windows\system32>Start-EdgeSynchronization

RunspaceId     : 4f4c61e7-1059-43fc-963b-877641087e2a
Result         : Success
Type           : Configuration
Name           : EDGE
FailureDetails :
StartUTC       : 4/26/2013 6:46:45 AM
EndUTC         : 4/26/2013 6:46:45 AM
Added          : 0
Deleted        : 0
Updated        : 0
Scanned        : 0
TargetScanned  : 0

RunspaceId     : 4f4c61e7-1059-43fc-963b-877641087e2a
Result         : Success
Type           : Recipients
Name           : EDGE
FailureDetails :
StartUTC       : 4/26/2013 6:46:45 AM
EndUTC         : 4/26/2013 6:46:45 AM
Added          : 0
Deleted        : 0
Updated        : 0
Scanned        : 0
TargetScanned  : 0


How to send a test spam message?

I know, it is common stuff but for someone it could be helpful.

We can use generic test for unsolicited bulk email (GTUBE) and send message with the following string:


19-04-2013 18-51-34

Basically the GTUBE is supported by many anti-spam solutions (except WatchGuard) such as:

  • Symantec BrightMail19-04-2013 18-07-37
  • Cisco Ironport

19-04-2013 18-13-59

  • Microsoft Forefront Protection for Exchange
The error that the other server returned was:
550 5.7.1 Message rejected due to content restrictions
  • Commodo Antispam Gateway
Action: failed
Status: 5.5.0
Diagnostic-Code: smtp;550 GTUBE found in message. See

Similar way can be used also for a malware test message (EICAR test file):


Enjoy testing ;).