Getting relay error on incoming mail from 3 party despite SPF settings

Question asked by Allan Romme - 10/22/2014 at 7:34 AM

Unanswered

We have a domain on our SmarterMail and it's working fine.

Now we have a 3 party service that are sending mails via SendGrid on behalf of that domain and that part are also working. All SPF settings on the domain are in place.

But when we have an incoming mail to our SmarterMail from SendGrid the mail are rejected by SmarterMail with
"rsp: 550 Authentication is required for relay"

We have asked the 3 party service if they are sending mail from a static IP, so that we could put that into the SMTP relay. But they do not have that.

How do we solved this issue so we can around the error?

And should SmarterMail not look at the SPF record and know that the sender (SendGrid) is a trusted sender?

Hope someone can help on this issue

Best regards

Allan Romme

6 Replies

Reply to Thread

Bruce Barnes Replied

10/22/2014 at 9:21 AM

Two questions for you:

1. is the sending appliance using SMTP AUTHENTICATION to send through SmarterMail?

2. is the sending appliance using the SAME DOMAIN/USERNAME to send the message?

Both of these can cause the issue you are experiencing. Because of requirements put in place by large ISPs, including YAHOO!, Gmail, COMCAST and many others, everything MUST now be SMTP AUTHENTICATED from the SENDING DOMAIN - not from another domain.

This has caught more than a few people off guard as it sometimes means completely rewriting the code used to send messages from web forms, shopping carts, and other originating appliances.

Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting

Allan Romme Replied

10/22/2014 at 11:42 AM

Hi Bruce

The sending application are not using our mail SmarterMail, they are using SendGrid (http://sendgrid.com)

And via SendGrid they are sending mails on behalf of our domain.

Let me try to explain :o)

SmarterMail handles regular company mails from and to employees. For example sales@domain.com, mike@domain.com, etc.

SendGrid handles mail on 3 party service used by the company. For example booking confirmations.

Thees are sent from sales@domain.com and are received with no problem by everybody.

But when the receiver are for example mike@domian.com, then SmarterMail are rejecting the mail with the error

"rsp: 550 Authentication is required for relay"

I hope this explain the situation better.

Bruce Barnes Replied

10/23/2014 at 1:25 AM

Sendgrid must either send through SmarterMail, or you must add a "Sendgrid SPF include statement" in the domain's SPF record.

Adding this to your domain's CURRENT SPF RECORD should help: include:sendrgid.net

You should be able to find this information via a Google search. If this does not help, then you will need to contact sendgrid directly.

Allan Romme Replied

1/14/2015 at 3:33 AM

Sorry for not getting back on this issue.

We did include the SendGrid SPF settings but it did not solve the problem.

Finally we solved it by adding the IP from SendGrid on the "SMTP Authentication Bypass".

But now we got a similar with a customer that use zendesk for helpdesk system.

We have added the zendesk SPF to their domain, but when we try to add support@customerdomain.com to zendesk and zendesk are sending a verification mail to support@customerdomain.com, then our SmartMail reject it with the error:

"Host mail.customerdomain.com[xxx.xxx.xxx.xxx] said: 550 Authentication is required for relay (in reply to MAIL FROM command)"

We can't use the same solution, because zendesk have many IP's and they can change them without us knowing it.

I think it's strange that SmarterMail reject it as the sender are allow according to the domain SPF setting.

Bruce Barnes Replied

1/14/2015 at 5:02 AM

Wgar you are experiencing is becoming more common. The receiving server wants the "sent from" and "reply to " e-mail addresses to match and authentic to your IP a2, SPF, and rDNS. Comcast now blocks ALL non-matching traffic, at the network level, just like they block non-SMTP traffic on port 25 which does not originate from, and route to, another MX server. In addition, whitelisting is becoming more and more dangerous, and is a prime source of virus and keystroke logger attacks. If you can either share more specific domain and email address information, or contact me with that information off-forum, I can look more closely at the domains and addresses in question.

Rafael Grecco Replied

7/7/2015 at 11:01 AM

Hi, I know this is an old thread, but I got a similar problem.

Someone forwarded this message to me:

From: Mail Delivery Subsystem <mailer-daemon@googlemail.com>
Date: 2015-07-07 13:43 GMT-03:00
Subject: Delivery Status Notification (Failure)
To: xxxxxxx@sender.com

Delivery to the following recipient failed permanently:

xxxxxxxxx@recipient.com (hosted by me)

Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the server for the recipient domain recipient.com by my.smartermail.server. [xx.xxx.xxx.xxx].

The error that the other server returned was:
550 Authentication is required for relay

I renamed the sender, recipient and my e-mail server adressess.

The receiver is hosted on my Smartermail server and I have never had this problem before (that I know). I was contacted by the sending party, the one that received the error message.

Below is the original message (which he also forwarded to me):

X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20130820;
h=x-gm-message-state:mime-version:disposition-notification-to
:in-reply-to:references:date:message-id:subject:from:to:content-type;
bh=PG7tMYn83O0XhalIz8Vd9nEjHTJ/guXMT4PLHAWF2J0=;
b=LcrTL6e09o1UjeWqVKXj3KjqvLvGfgscpm7uHiO2pAuBwCDbDzxwDokNDGl7DBhlHc
7tfLw0Eb6WLn6XpLxxe2Gy4VEHE/yLvj38xoX7nHd2DeoizXDJs48PDz4Mx08McaloKh
TGhNbQLi3QtwUmG8Y/hFGUWOHpuYG3G+OHzvxFLd3tpGYJKtzoBRcFKOm+6XGrqPHE4P
SKig4eq3CnHSDQqUr0lZY4KKzUVyCzMl+geGuOuatTG97ej6nLgazCJKddf5mceRGPzT
m6yUfbBOdmZT0rHBJ+nfoIbggQ6yxPeValCi60QsK/CVBRwjvqBXaY/Xz1ch3Xp5ObFH
rNEQ==
X-Gm-Message-State: ALoCoQk0YhJ3cNpp9ARC8kUajO6b3aii0Hfl0tjA6ebuuNESRhj1SmjMqBsrFtRo095aa7oN3xaz
MIME-Version: 1.0
X-Received: by xx.xxx.xxx.xxx with SMTP id dh2mr4340446lac.53.1436287417619;
Tue, 07 Jul 2015 09:43:37 -0700 (PDT)
Disposition-Notification-To: xxxxxx@sender.com
Received: by 10.25.17.25 with HTTP; Tue, 7 Jul 2015 09:43:37 -0700 (PDT)
In-Reply-To: <CAEBSmxk6YrekC9mcg59nCzix79-F6vvRPioDH7Gj2mfGQUyHdw@mail.gmail.com>
References: <BLU173-W46C172F518B96A7915284AF4960@phx.gbl>
<CAEBSmxk6YrekC9mcg59nCzix79-F6vvRPioDH7Gj2mfGQUyHdw@mail.gmail.com>
Date: Tue, 7 Jul 2015 13:43:37 -0300
Message-ID: <CAF3EyhGqaNuhA8KbemO7suYc8cbMjkOeCxEF=mfeExEBgFqd6g@mail.gmail.com>
Subject: Fwd: E-mail subject
From: Sender <xxxxxx@sender.com>
To: xxxxxxxx@recipient.com (hosted by me)
Content-Type: multipart/alternative; boundary=001a113497e452aeb9051a4bb92b

So....... do you what the problem is? Can I fix it or should the sender contact his e-mail service (Google)?

Thanks

Back to Community Threads

Please leave this box unchecked

6 Replies

Reply to Thread

Tags

Related Knowledge Base Articles