I'm trying to work out why email I send from one domain I own is rejected by another that I own, and while I think it may be related to how I've setup spf records, I'm not sure what steps I need to take to fix it.
Here's the error message I receive:
Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 550 550-Verification failed for <[email protected]>
550-No Such User Here
550 Sender verify failed (state 14).
Here's the response from [email protected]
Delivered-To: [email protected]
Received: by 10.86.92.9 with SMTP id p9cs85371fgb;
Wed, 2 Sep 2009 22:33:32 -0700 (PDT)
Received: by 10.90.205.4 with SMTP id c4mr2406190agg.29.1251956007562;
Wed, 02 Sep 2009 22:33:27 -0700 (PDT)
Return-Path: <[email protected]>
Received: from verifier.port25.com (207-36-201-235.ptr.primarydns.com [207.36.201.235])
by mx.google.com with ESMTP id 26si831174aga.24.2009.09.02.22.33.25;
Wed, 02 Sep 2009 22:33:26 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 207.36.201.235 as permitted sender) client-ip=207.36.201.235;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of [email protected] designates 207.36.201.235 as permitted sender) [email protected]; dkim=pass [email protected]
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=auth; d=port25.com;
h=Date:From:To:Subject:Message-Id:In-Reply-To; [email protected];
bh=GRMrcnoucTl4upzqJYTG5sOZMLU=;
b=uk6TjADEyZVRkceQGjH94ZzfVeRTsiZPzbXuhlqDt1m+kh1zmdUEoiTOzd89ryCHMbVcnG1JajBj
5vOMKYtA3g==
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=auth; d=port25.com;
b=NqKCPK00Xt49lbeO009xy4ZRgMGpghvcgfhjNy7+qI89XKTzi6IUW0hYqCQyHkd2p5a1Zjez2ZMC
l0u9CpZD3Q==;
Received: from verifier.port25.com (127.0.0.1) by verifier.port25.com (PowerMTA(TM) v3.6a1) id hjt9pq0hse8u for <[email protected]>; Thu, 3 Sep 2009 01:26:52 -0400 (envelope-from <[email protected]>)
Date: Thu, 3 Sep 2009 01:26:52 -0400
From: [email protected]
To: [email protected]
Subject: Authentication Report
Message-Id: <[email protected]>
Precedence: junk (auto_reply)
In-Reply-To: <[email protected]>
This message is an automatic response from Port25's authentication verifier
service at verifier.port25.com. The service allows email senders to perform
a simple check of various sender authentication mechanisms. It is provided
free of charge, in the hope that it is useful to the email community. While
it is not officially supported, we welcome any feedback you may have at
<[email protected]>.
Thank you for using the verifier,
The Port25 Solutions, Inc. team
==========================================================
Summary of Results
==========================================================
SPF check: pass
DomainKeys check: neutral
DKIM check: neutral
Sender-ID check: pass
SpamAssassin check: ham
==========================================================
Details:
==========================================================
HELO hostname: fg-out-1718.google.com
Source IP: 72.14.220.158
mail-from: [email protected]
----------------------------------------------------------
SPF check details:
----------------------------------------------------------
Result: pass
ID(s) verified: [email protected]
DNS record(s):
stemcel.co.uk. 14400 IN TXT "v=spf1 include:aspmx.googlemail.com ~all"
aspmx.googlemail.com. 7200 IN TXT "v=spf1 redirect=_spf.google.com"
_spf.google.com. 300 IN TXT "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ?all"
----------------------------------------------------------
DomainKeys check details:
----------------------------------------------------------
Result: neutral (message not signed)
ID(s) verified: [email protected]
DNS record(s):
----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result: neutral (message not signed)
ID(s) verified:
NOTE: DKIM checking has been performed based on the latest DKIM specs
(RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
older versions. If you are using Port25's PowerMTA, you need to use
version 3.2r11 or later to get a compatible version of DKIM.
----------------------------------------------------------
Sender-ID check details:
----------------------------------------------------------
Result: pass
ID(s) verified: [email protected]
DNS record(s):
stemcel.co.uk. 14400 IN TXT "v=spf1 include:aspmx.googlemail.com ~all"
aspmx.googlemail.com. 7200 IN TXT "v=spf1 redirect=_spf.google.com"
_spf.google.com. 300 IN TXT "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ?all"
----------------------------------------------------------
SpamAssassin check details:
----------------------------------------------------------
SpamAssassin v3.2.5 (2008-06-10)
Result: ham (-2.6 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-0.0 SPF_PASS SPF: sender matches SPF record
-2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
[score: 0.0000]
0.0 HTML_MESSAGE BODY: HTML included in message
I've registered the spf records for my domain, as advised here
Both domains pass validate according to Kitterman's spf record testing tools, so I'm somewhat confused about this.
I also have the catchall address set up on the stemcel.co.uk domain here, but I don't have one setup for chrisadams.me.uk.
Instead, we have the following forwarders setup
[email protected] to [email protected]
[email protected] to [email protected]
[email protected] to [email protected]
[email protected] to [email protected]
Any ideas how to get this working? I'm not sure what I should be looking for here.
Have you tried turning on the "Catch-all Address" feature in Google apps? If you assign it to a user name you can at least tell if the mail is getting to the Google Apps instance for your domain. Since it seems, from the above error, that Google Apps could not locate the user, perhaps this will help diagnosing the issue.
Are you using the SPF registered server as your outgoing mail server, or some other such as that of your local ISP?
Does it work if you remove SPF?
I've found it to be more trouble than it's worth. It doesn't stop you recieving spam, it only reduces (slightly) the backscatter from people sending spam in your name.
The way you have SPF set up (ending in ~all) it is very unlikely that it causes a rejection (especially not the kind you reported). Besides, the port25 check indicates that everything is fine. You can also use http://www.openspf.org/Why to double-check.
As pjc50 suggested, try the mail setup again without SPF records. I guess that SPF records are not an issue here. But we do not have yet enough data for further analysis.
Are you sending all mail through gmail using the "Send Mail as" of the "Accounts and Import" section of GMail? I had this same error when attempting to send email through my gmail account as another of my "Apps for Your Domain" accounts. I had changed the password of my user account and that was why it was rejecting it. It was actually being rejected by GMail and not by the recipient's email server.