Errors are appearing in the message audit logs of Symantec Messaging Gateway (SMG) saying that your MX IP address is not allowed to send per its SPF record.
This error is coming from the recipient mail host.
Sender's SPF record is set to a "hard fail" (-all).
Example (may not be worded exactly, varies with each mail host):
This particular error is returned from a large hosted mail domain: 550 5.1.1 <Your IP Address> is not allowed to send from <Your domain> per its SPF Record. Please inspect your SPF settings, and try again.
There is no IP record in the SPF for the sender's domain that matches the external IP related to the SMG.
Root cause solution
Update the SPF record for the sender's domain to include the IP address associated with the SMG.
If the SPF record is configured for "soft fail" (~all), the SMG will still accept mail even if it fails. This setting is recommended for senders performing network changes or changing external IP addresses.
SPF documentation is available at the ITEF website. Symantec Support is not able to provide configurations for our customers, but various sites provide SPF tools to assist in proper configuration.
Subscribing will provide email updates when this Article is updated. Login is required.