MIDAS KnowledgebaseMIDAS Knowledgebase

Outgoing email fails with "SPF fail - not authorized" or "DMARC Evaluation" errors

SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting and Conformance) are both extensions to Internet e-mail. Their purpose is to prevent unauthorized people from forging your e-mail address.

If when sending email from your MIDAS system, an email is returned to you with an "SPF fail - not authorized" error, a "DMARC Evaluation" error, or similar error, this indicates that the domain relating to the email address the message was purportedly sent "from" isn't currently configured to allow emails to be sent on its behalf from external/3rd party sources (i.e. the physical server where your MIDAS system resides).

Example Scenario:

In the above example, the receiving mail server on domain C queries domain B to check whether domain A is authorized to send mail on behalf of domain B. If it isn't the email is rejected.

This can be resolved in a number of ways, depending upon the level of access you have to the domains/servers in question:

A) If you own/administer "domain B" from the above scenario (i.e. your own organization's domain) - For example, if you've configured your MIDAS to send email from "noreply@yourdomain.com" and you also administer the root "yourdomain.com" domain, then you have two options:

1) Modify "yourdomain.com"'s SPF record to "whitelist" the server on which your MIDAS system resides (domain "A" in the above scenarios), so that it is authorized to send email on your own domain's behalf. For example, the domain's modified SPF record may look like this:

v=spf1 ip4:x.x.x.x a:your_midas_domain -all

...in the above SPF record example, your domain would only allow the IP address x.x.x.x or the domain "your_midas_domain" to send email on behalf of your domain.

For more information on correct SPF record syntax, please see: http://www.openspf.org/SPF_Record_Syntax

Alternatively;

2) Configure your MIDAS email settings to send email directly via your domain's own SMTP servers. You can configure these settings via MIDAS Admin Options → Manage MIDAS → Email. Once correctly configured, all subsequent email sent from your MIDAS system will instead be relayed through your organization's own SMTP servers rather than be send directly from the server where your MIDAS resides, or another SMTP server. This will mean that there won't be a mis-match between the "virtual" email address(s) you're sending from and actual mail server they're being sent from.

B) If you don't own/administer "domain B" from the original scenario, then you have two options:

1) Configure your MIDAS email settings to send email directly via your domain's own SMTP servers. You can configure these settings via MIDAS Admin Options → Manage MIDAS → Email. Once correctly configured, all subsequent email sent from your MIDAS system will instead be relayed through your organization's own SMTP servers rather than be send directly from the server where your MIDAS resides, or another SMTP server. This will mean that there won't be a mis-match between the "virtual" email address(s) you're sending from and actual mail server they're being sent from.

Alternatively;

2) Change the email address(s) from which outgoing emails are being purportedly sent from in your MIDAS system. For example, if you're attempting to send emails purportedly to be from "domainX", and "domainX" itself prohibits sending of email from @domainX addresses from non-domainX servers, change the email address in MIDAS to instead be for a domain which will allow sending of email from external servers.


More information from AOL on their DMARC policy may be found at http://postmaster-blog.aol.com/2014/04/22/aol-mail-updates-dmarc-policy-to-reject/
More information from Yahoo! on their DMARC policy may be found at https://help.yahoo.com/kb/SLN24050.html
You might also be interested in...
» » »

← Return to Knowledgebase