Getting relay error on incoming mail from 3 party despite SPF settings
Question asked by Allan Romme - October 22, 2014 at 7:34 AM
Unanswered
We have a domain on our SmarterMail and it's working fine.
Now we have a 3 party service that are sending mails via SendGrid on behalf of that domain and that part are also working. All SPF settings on the domain are in place.
 
But when we have an incoming mail to our SmarterMail from SendGrid the mail are rejected by SmarterMail with
"rsp: 550 Authentication is required for relay"
 
We have asked the 3 party service if they are sending mail from a static IP, so that we could put that into the SMTP relay. But they do not have that.
 
How do we solved this issue so we can around the error? 
And should SmarterMail not look at the SPF record and know that the sender (SendGrid) is a trusted sender?
 
Hope someone can help on this issue
 
Best regards
Allan Romme

6 Replies

Reply to Thread
0
Bruce Barnes Replied
Two questions for you:
 
1. is the sending appliance using SMTP AUTHENTICATION to send through SmarterMail?
 
2. is the sending appliance using the SAME DOMAIN/USERNAME to send the message?
 
Both of these can cause the issue you are experiencing.  Because of requirements put in place by large ISPs, including YAHOO!, Gmail, COMCAST and many others, everything MUST now be SMTP AUTHENTICATED from the SENDING DOMAIN - not from another domain.
 
This has caught more than a few people off guard as it sometimes means completely rewriting the code used to send messages from web forms, shopping carts, and other originating appliances.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Allan Romme Replied
Hi Bruce
 
The sending application are not using our mail SmarterMail, they are using SendGrid (http://sendgrid.com)
And via SendGrid they are sending mails on behalf of our domain.
 
Let me try to explain :o)
 
SmarterMail handles regular company mails from and to employees. For example  sales@domain.com, mike@domain.com, etc.
 
SendGrid handles mail on 3 party service used by the company. For example booking confirmations.
Thees are sent from sales@domain.com and are received with no problem by everybody.
But when the receiver are for example  mike@domian.com, then SmarterMail are rejecting the mail with the error
 "rsp: 550 Authentication is required for relay"
 
I hope this explain the situation better.
0
Bruce Barnes Replied
Sendgrid must either send through SmarterMail, or you must add a "Sendgrid SPF include statement" in the domain's SPF record.
 
Adding this to your domain's CURRENT SPF RECORD should help: include:sendrgid.net
 
You should be able to find this information via a Google search.  If this does not help, then you will need to contact sendgrid directly.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Allan Romme Replied
Hi
 
Sorry for not getting back on this issue.
 
We did include the SendGrid SPF settings but it did not solve the problem.
Finally we solved it by adding the IP from SendGrid on the "SMTP Authentication Bypass".
 
But now we got a similar with a customer that use zendesk for helpdesk system.
We have added the zendesk SPF to their domain, but when we try to add support@customerdomain.com to zendesk and zendesk are sending a verification mail to  support@customerdomain.com, then our SmartMail reject it with the error:
 
"Host mail.customerdomain.com[xxx.xxx.xxx.xxx] said: 550    Authentication is required for relay (in reply to MAIL FROM command)"
 
We can't use the same solution, because zendesk have many IP's and they can change them without us knowing it.
 
I think it's strange that SmarterMail reject it as the sender are allow according to the domain SPF setting.
0
Bruce Barnes Replied
Wgar you are experiencing is becoming more common. The receiving server wants the "sent from" and "reply to " e-mail addresses to match and authentic to your IP a2, SPF, and rDNS. Comcast now blocks ALL non-matching traffic, at the network level, just like they block non-SMTP traffic on port 25 which does not originate from, and route to, another MX server. In addition, whitelisting is becoming more and more dangerous, and is a prime source of virus and keystroke logger attacks. If you can either share more specific domain and email address information, or contact me with that information off-forum, I can look more closely at the domains and addresses in question.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Rafael Grecco Replied
Hi, I know this is an old thread, but I got a similar problem.
 
Someone forwarded this message to me:
 
From: Mail Delivery Subsystem <mailer-daemon@googlemail.com>
Date: 2015-07-07 13:43 GMT-03:00
Subject: Delivery Status Notification (Failure)
To: xxxxxxx@sender.com

Delivery to the following recipient failed permanently:

 
xxxxxxxxx@recipient.com (hosted by me)

Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the server for the recipient domain recipient.com by my.smartermail.server. [xx.xxx.xxx.xxx].

The error that the other server returned was:
550 Authentication is required for relay
 
I renamed the sender, recipient and my e-mail server adressess.
 
The receiver is hosted on my Smartermail server and I have never had this problem before (that I know). I was contacted by the sending party, the one that received the error message.
 
Below is the original message (which he also forwarded to me):
 
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:disposition-notification-to
         :in-reply-to:references:date:message-id:subject:from:to:content-type;
        bh=PG7tMYn83O0XhalIz8Vd9nEjHTJ/guXMT4PLHAWF2J0=;
        b=LcrTL6e09o1UjeWqVKXj3KjqvLvGfgscpm7uHiO2pAuBwCDbDzxwDokNDGl7DBhlHc
         7tfLw0Eb6WLn6XpLxxe2Gy4VEHE/yLvj38xoX7nHd2DeoizXDJs48PDz4Mx08McaloKh
         TGhNbQLi3QtwUmG8Y/hFGUWOHpuYG3G+OHzvxFLd3tpGYJKtzoBRcFKOm+6XGrqPHE4P
         SKig4eq3CnHSDQqUr0lZY4KKzUVyCzMl+geGuOuatTG97ej6nLgazCJKddf5mceRGPzT
         m6yUfbBOdmZT0rHBJ+nfoIbggQ6yxPeValCi60QsK/CVBRwjvqBXaY/Xz1ch3Xp5ObFH
         rNEQ==
X-Gm-Message-State: ALoCoQk0YhJ3cNpp9ARC8kUajO6b3aii0Hfl0tjA6ebuuNESRhj1SmjMqBsrFtRo095aa7oN3xaz
MIME-Version: 1.0
X-Received: by xx.xxx.xxx.xxx with SMTP id dh2mr4340446lac.53.1436287417619;
 Tue, 07 Jul 2015 09:43:37 -0700 (PDT)
Disposition-Notification-To: xxxxxx@sender.com
Received: by 10.25.17.25 with HTTP; Tue, 7 Jul 2015 09:43:37 -0700 (PDT)
In-Reply-To: <CAEBSmxk6YrekC9mcg59nCzix79-F6vvRPioDH7Gj2mfGQUyHdw@mail.gmail.com>
References: <BLU173-W46C172F518B96A7915284AF4960@phx.gbl>
        <CAEBSmxk6YrekC9mcg59nCzix79-F6vvRPioDH7Gj2mfGQUyHdw@mail.gmail.com>
Date: Tue, 7 Jul 2015 13:43:37 -0300
Message-ID: <CAF3EyhGqaNuhA8KbemO7suYc8cbMjkOeCxEF=mfeExEBgFqd6g@mail.gmail.com>
Subject: Fwd: E-mail subject
From: Sender <xxxxxx@sender.com>
To: xxxxxxxx@recipient.com (hosted by me)
Content-Type: multipart/alternative; boundary=001a113497e452aeb9051a4bb92b
 
So....... do you what the problem is? Can I fix it or should the sender contact his e-mail service (Google)?
 
Thanks

Reply to Thread