SPF check failure but cannot pinpoint issue (newbie)

sul asked:

I sent a test email using the port25.com email verification tool and got back the results below in it’s entirety. Can someone tell me what is missing and why SPF is failing?
Many thanks!

-sul.

This message is an automatic response from Port25's authentication verifier service at verifier.port25.com.  The service allows email senders to perform a simple check of various sender authentication mechanisms.  It is provided free of charge, in the hope that it is useful to the email community.  While it is not officially supported, we welcome any feedback you may have at <verifier-feedback@port25.com>.

Thank you for using the verifier,

The Port25 Solutions, Inc. team

==========================================================
Summary of Results
==========================================================
SPF check:          fail
DomainKeys check:   neutral
DKIM check:         neutral
Sender-ID check:    fail
DKIM check:         none
SpamAssassin check: ham

==========================================================
Details:
==========================================================

HELO hostname:  smtp4.fiu.edu
Source IP:      131.94.79.14
mail-from:      prvs=956918cfdd=volunteer@thewolf.fiu.edu

----------------------------------------------------------
SPF check details:
----------------------------------------------------------
Result:         fail (not permitted)
ID(s) verified: smtp.mailfrom=prvs=956918cfdd=volunteer@thewolf.fiu.edu
DNS record(s):
    thewolf.fiu.edu. SPF (no records)
    thewolf.fiu.edu. 3600 IN TXT "v=spf1 include:spf.protection.outlook.com -all"
    spf.protection.outlook.com. SPF (no records)
    spf.protection.outlook.com. 428 IN TXT "v=spf1 ip4:207.46.101.128/26 ip4:207.46.108.0/25 ip4:207.46.100.0/24 ip4:207.46.163.0/24 ip4:65.55.169.0/24 ip4:157.55.133.0/25 ip4:157.56.110.0/23 ip4:157.55.234.0/24 ip4:213.199.154.0/24 ip4:213.199.180.0/24 include:spfa.protection.outlook.com -all"
    spfa.protection.outlook.com. SPF (no records)
    spfa.protection.outlook.com. 318 IN TXT "v=spf1 ip4:157.56.120.0/25 ip4:157.56.116.0/25 ip4:157.56.112.0/24 ip4:134.170.140.0/24 ip4:134.170.132.0/24 ip4:207.46.51.64/26 ip4:157.55.158.0/23 ip4:157.56.87.192/26 ip4:64.4.22.64/26 include:spfb.protection.outlook.com -all"
    spfb.protection.outlook.com. SPF (no records)
    spfb.protection.outlook.com. 569 IN TXT "v=spf1 ip6:2a01:111:f400::/48 ip4:23.103.128.0/19 ip4:23.103.198.0/23 ip4:65.55.88.0/24 ip4:104.47.0.0/17 ip4:23.103.200.0/21 ip4:23.103.208.0/21 ip4:23.103.191.0/24 ip4:216.32.181.0/24 -all"

----------------------------------------------------------
DomainKeys check details:
----------------------------------------------------------
Result:         neutral (message not signed)
ID(s) verified: header.From=volunteer@thewolf.fiu.edu
DNS record(s):

----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result:         neutral (message not signed)
ID(s) verified: 

NOTE: DKIM checking has been performed based on the latest DKIM specs (RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for older versions.  If you are using Port25's PowerMTA, you need to use version 3.2r11 or later to get a compatible version of DKIM.

----------------------------------------------------------
Sender-ID check details:
----------------------------------------------------------
Result:         fail (not permitted)
ID(s) verified: header.From=volunteer@thewolf.fiu.edu
DNS record(s):
    thewolf.fiu.edu. SPF (no records)
    thewolf.fiu.edu. 3600 IN TXT "v=spf1 include:spf.protection.outlook.com -all"
    spf.protection.outlook.com. SPF (no records)
    spf.protection.outlook.com. 428 IN TXT "v=spf1 ip4:207.46.101.128/26 ip4:207.46.108.0/25 ip4:207.46.100.0/24 ip4:207.46.163.0/24 ip4:65.55.169.0/24 ip4:157.55.133.0/25 ip4:157.56.110.0/23 ip4:157.55.234.0/24 ip4:213.199.154.0/24 ip4:213.199.180.0/24 include:spfa.protection.outlook.com -all"
    spfa.protection.outlook.com. SPF (no records)
    spfa.protection.outlook.com. 318 IN TXT "v=spf1 ip4:157.56.120.0/25 ip4:157.56.116.0/25 ip4:157.56.112.0/24 ip4:134.170.140.0/24 ip4:134.170.132.0/24 ip4:207.46.51.64/26 ip4:157.55.158.0/23 ip4:157.56.87.192/26 ip4:64.4.22.64/26 include:spfb.protection.outlook.com -all"
    spfb.protection.outlook.com. SPF (no records)
    spfb.protection.outlook.com. 569 IN TXT "v=spf1 ip6:2a01:111:f400::/48 ip4:23.103.128.0/19 ip4:23.103.198.0/23 ip4:65.55.88.0/24 ip4:104.47.0.0/17 ip4:23.103.200.0/21 ip4:23.103.208.0/21 ip4:23.103.191.0/24 ip4:216.32.181.0/24 -all"

----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result:         none (message not signed)
ID(s) verified: header.d=none;

NOTE: DKIM checking has been performed based on the latest DKIM specs (RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for older versions.  If you are using Port25's PowerMTA, you need to use version 3.2r11 or later to get a compatible version of DKIM.

----------------------------------------------------------
SpamAssassin check details:
----------------------------------------------------------
SpamAssassin v3.4.0 (2014-02-07)

Result:         ham  (-1.1 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
-0.0 T_RP_MATCHES_RCVD      Envelope sender domain matches handover relay
                            domain
 0.0 SPF_FAIL               SPF: sender does not match SPF record (fail)
[SPF failed: Please see https://urldefense.proofpoint.com/v2/url?u=http-3A__www.openspf.net_Why-3Fs-3Dmfrom-3Bid-3Dprvs-253D956918cfdd-253Dvolunteer-2540thewolf.fiu.edu-3Bip-3D131.94.79.14-3Br-3Dverifier.port25.com&d=AwIBAg&c=1QsCMERiq7JOmEnKpsSyjg&r=B3cGUFbtTm6kAXa577pfH-IzxFwv8TPRixkn15i-XJY&m=TRoiKJpKfbcuDTpQ3Yv8LEewM5hqAQAoPp5Yv5I51h4&s=qkneHL-pZ43fMAx0FXiXqNS1zWHCpaKi1Idxpm7TLxw&e= ]
-1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
                            [score: 0.0001]
 0.0 HTML_MESSAGE           BODY: HTML included in message
 0.8 MPART_ALT_DIFF         BODY: HTML and text parts are different
 0.0 TVD_SPACE_RATIO        No description available.

==========================================================
Explanation of the possible results (from RFC 5451) ==========================================================

SPF and Sender-ID Results
=========================

"none"
      No policy records were published at the sender's DNS domain.

"neutral"
      The sender's ADMD has asserted that it cannot or does not
      want to assert whether or not the sending IP address is authorized
      to send mail using the sender's DNS domain.

"pass"
      The client is authorized by the sender's ADMD to inject or
      relay mail on behalf of the sender's DNS domain.

"policy"
     The client is authorized to inject or relay mail on behalf
      of the sender's DNS domain according to the authentication
      method's algorithm, but local policy dictates that the result is
      unacceptable.

"fail"
      This client is explicitly not authorized to inject or
      relay mail using the sender's DNS domain.

"softfail"
      The sender's ADMD believes the client was not authorized
      to inject or relay mail using the sender's DNS domain, but is
      unwilling to make a strong assertion to that effect.

"temperror"
      The message could not be verified due to some error that
      is likely transient in nature, such as a temporary inability to
      retrieve a policy record from DNS.  A later attempt may produce a
      final result.

"permerror"
      The message could not be verified due to some error that
      is unrecoverable, such as a required header field being absent or
      a syntax error in a retrieved DNS TXT record.  A later attempt is
      unlikely to produce a final result.


DKIM and DomainKeys Results
===========================

"none"
      The message was not signed.

"pass"
      The message was signed, the signature or signatures were
      acceptable to the verifier, and the signature(s) passed
      verification tests.

"fail"
      The message was signed and the signature or signatures were
      acceptable to the verifier, but they failed the verification
      test(s).

"policy"
      The message was signed but the signature or signatures were
      not acceptable to the verifier.

"neutral"
      The message was signed but the signature or signatures
      contained syntax errors or were not otherwise able to be
      processed.  This result SHOULD also be used for other
      failures not covered elsewhere in this list.

"temperror"
      The message could not be verified due to some error that
      is likely transient in nature, such as a temporary inability
      to retrieve a public key.  A later attempt may produce a
      final result.

"permerror"
      The message could not be verified due to some error that
      is unrecoverable, such as a required header field being
      absent. A later attempt is unlikely to produce a final result.


==========================================================
Original Email
==========================================================

Return-Path: <prvs=956918cfdd=volunteer@thewolf.fiu.edu>
Received: from smtp4.fiu.edu (131.94.79.14) by verifier.port25.com id h9f3ca20i3gh for <check-auth@verifier.port25.com>; Thu, 7 May 2015 16:10:45 -0400 (envelope-from <prvs=956918cfdd=volunteer@thewolf.fiu.edu>)
Authentication-Results: verifier.port25.com; spf=fail (not permitted) smtp.mailfrom=prvs=956918cfdd=volunteer@thewolf.fiu.edu
Authentication-Results: verifier.port25.com; domainkeys=neutral (message not signed) header.From=volunteer@thewolf.fiu.edu
Authentication-Results: verifier.port25.com; dkim=neutral (message not signed)
Authentication-Results: verifier.port25.com; sender-id=fail (not permitted) header.From=volunteer@thewolf.fiu.edu
Received: from pps.filterd (smtp4.fiu.edu [127.0.0.1])
    by smtp4.fiu.edu (8.14.5/8.14.5) with SMTP id t47K1oJT026934
    for <check-auth@verifier.port25.com>; Thu, 7 May 2015 16:10:43 -0400
Received: from fiumailsmtp.fiu.edu (dithub02.ad.fiu.edu [131.94.72.23])
    by smtp4.fiu.edu with ESMTP id 1u8ctpj502-1
    for <check-auth@verifier.port25.com>; Thu, 07 May 2015 16:10:43 -0400
Received: from na01-bn1-obe.outbound.protection.outlook.com (207.46.163.187)  by fiu.edu (192.168.251.14) with Microsoft SMTP Server (TLS) id 14.3.123.3;  Thu, 7 May 2015 16:10:43 -0400
Received: from BN1PR05MB391.namprd05.prod.outlook.com (10.141.60.153) by  BN1PR05MB389.namprd05.prod.outlook.com (10.141.60.142) with Microsoft SMTP  Server (TLS) id 15.1.154.19; Thu, 7 May 2015 20:10:41 +0000
Received: from BN1PR05MB391.namprd05.prod.outlook.com ([169.254.16.123]) by  BN1PR05MB391.namprd05.prod.outlook.com ([169.254.16.123]) with mapi id  15.01.0148.019; Thu, 7 May 2015 20:10:41 +0000
From: Wolfsonian Volunteer Staff <volunteer@thewolf.fiu.edu>
To: "check-auth@verifier.port25.com" <check-auth@verifier.port25.com>
Subject: Testing Email
Thread-Topic: Testing Email
Thread-Index: AQHQiQHk6bF4oIqMzE+Ui0lky4WTGA==
Date: Thu, 7 May 2015 20:10:41 +0000
Message-ID: <1431029441066.95255@thewolf.fiu.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: verifier.port25.com; dkim=none (message not signed)  header.d=none;
x-originating-ip: [131.94.187.17]
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN1PR05MB389;
x-microsoft-antispam-prvs: <BN1PR05MB389C10D8211381209873E92F7DF0@BN1PR05MB389.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(601004)(5005006)(3002001);SRVR:BN1PR05MB389;BCL:0;PCL:0;RULEID:;SRVR:BN1PR05MB389;
x-forefront-prvs: 056929CBB8
x-forefront-antispam-report: SFV:NSPM;SFS:(10009020)(6009001)(551214005)(50986999)(122556002)(5001960100002)(107886002)(2656002)(110136002)(40100003)(558084003)(62966003)(75432002)(54356999)(189998001)(87936001)(92566002)(2900100001)(450100001)(102836002)(106116001)(19625215002)(88552001)(16236675004)(46102003)(2501003)(66066001)(2351001)(86362001)(229853001)(19627405001)(77156002)(117636001)(89122001)(99286002)(221733001);DIR:OUT;SFP:1101;SCL:1;SRVR:BN1PR05MB389;H:BN1PR05MB391.namprd05.prod.outlook.com;FPR:;SPF:None;MLV:sfv;LANG:en;
Content-Type: multipart/alternative;
    boundary="_000_143102944106695255thewolffiuedu_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 May 2015 20:10:41.4014
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: ac79e5a8-e0e4-434b-a292-2c89b5c28366
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1PR05MB389
X-OriginatorOrg: thewolf.fiu.edu
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.14.151,1.0.33,0.0.0000
 definitions=2015-05-07_06:2015-05-07,2015-05-07,1970-01-01 signatures=0
x-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 classifier= adjust=0  reason=safe scancount=1 engine=7.0.1-1402240000
 definitions=main-1505070247

--_000_143102944106695255thewolffiuedu_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

?Test.

--_000_143102944106695255thewolffiuedu_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-= 1"> <style type=3D"text/css" style=3D"display:none;"><!-- P {margin-top:0;margi= n-bottom:0;} --></style> </head> <body dir=3D"ltr"> <div id=3D"divtagdefaultwrapper" style=3D"font-size:12pt;color:#000000;back=
ground-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p>​Test.<br>
</p>
</div>
</body>
</html>

--_000_143102944106695255thewolffiuedu_--

My answer:


Your email was sent out to the Internet via smtp4.fiu.edu (131.94.79.14). However, neither this name nor IP address are in your SPF record as an authorized sender.

The SPF record shows only Office 365 as an authorized sender for thewolf.fiu.edu. No other hosts are authorized to send mail, and this correctly failed.

Since you are sending mail via other mail servers, you should add their IP addresses to your SPF record. Or, you can alter your own mail servers to redirect outgoing mail via Office 365.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.