Question
I have received a non-delivery report (NDR) email with a SPF validation error. How do I resolve this?
Solution
Please contact your Network Administrator for help with this method.
To troubleshoot, you will first need to check that your SPF record includes the Crossware mail servers.
As your email goes through our service, the Crossware server's IP will be referenced in the email headers.
NOTE: An SPF record identifies which mail servers are permitted to send email on behalf of your domain.
1. View the header of the email you sent.
For Outlook 2016, double-click the email message to display it in its own full window, select "File" > "Properties" and view the message header in the "Internet headers" field at the bottom of the window.
2. Scan the header text for a mention of "spf=fail".
For example:

3. Check that the IP Address listed next to "sender IP" is a Crossware IP address from this list:
Region: Australia
AUS-EAST - 20.53.98.13
AUS-SOUTHEAST - 13.77.7.165
Region: Australia K1
AUS-K1-EAST - 20.193.18.29
AUS-K1-SOUTHEAST - 20.40.171.203
Region: Canada
CAN-CENTRAL - 52.237.28.198
CAN-EAST - 52.242.38.143
Region: Canada K1
CAN-K1-CENTRAL - 20.200.81.42
CAN-K1-EAST - 52.229.123.246
Region Europe: K1
EUROPE-K1-NORTH - 51.104.160.172
EUROPE-K1-WEST - 51.105.190.74
Region Europe: K2
EUROPE-K2-NORTH - 20.82.209.1
EUROPE-K2-WEST - 51.105.186.88
Region Europe: K3
EUROPE-K3-NORTH - 52.146.155.24
EUROPE-K3-WEST - 20.4.108.96
Region Europe:
EUROPE-WEST - 51.137.107.73
EUROPE-NORTH - 40.113.68.44
EUROPE-WEST (K1) - 20.73.236.16
EUROPE-NORTH (K1) - 51.104.138.178
Region France:
FRANCE-CENTRAL - 20.74.30.236
FRANCE-SOUTH - 52.136.140.66
Region UAE
UAE-K1-NORTH - 40.119.167.158
Region USA
US-EAST - 20.62.137.178
US-WEST - 40.112.165.55
Region: USA K1
US-K1-EAST - 52.149.241.223
US-K1-WEST - 20.184.240.220
Region: QAT K1
QAT-CENTRAL - 20.21.233.177
Region: All (Only Customers in Production Before 25 Nov 2018)
US - 20.237.102.145
EU - 20.54.134.112
AU - 20.53.139.41
AUS-EAST - 20.53.98.13
AUS-SOUTHEAST - 13.77.7.165
AUS-K1-EAST - 20.193.18.29
AUS-K1-SOUTHEAST - 20.40.171.203
Region: Canada
CAN-CENTRAL - 52.237.28.198
CAN-EAST - 52.242.38.143
Region: Canada K1
CAN-K1-CENTRAL - 20.200.81.42
CAN-K1-EAST - 52.229.123.246
Region Europe: K1
EUROPE-K1-NORTH - 51.104.160.172
EUROPE-K1-WEST - 51.105.190.74
Region Europe: K2
EUROPE-K2-NORTH - 20.82.209.1
EUROPE-K2-WEST - 51.105.186.88
Region Europe: K3
EUROPE-K3-NORTH - 52.146.155.24
EUROPE-K3-WEST - 20.4.108.96
Region Europe:
EUROPE-WEST - 51.137.107.73
EUROPE-NORTH - 40.113.68.44
EUROPE-WEST (K1) - 20.73.236.16
EUROPE-NORTH (K1) - 51.104.138.178
Region France:
FRANCE-CENTRAL - 20.74.30.236
FRANCE-SOUTH - 52.136.140.66
Region UAE
UAE-K1-NORTH - 40.119.167.158
Region USA
US-EAST - 20.62.137.178
US-WEST - 40.112.165.55
Region: USA K1
US-K1-EAST - 52.149.241.223
US-K1-WEST - 20.184.240.220
Region: QAT K1
QAT-CENTRAL - 20.21.233.177
Region: All (Only Customers in Production Before 25 Nov 2018)
US - 20.237.102.145
EU - 20.54.134.112
AU - 20.53.139.41
If you find spf=fail text with a Crossware IP address, the next step is to confirm that your domain returns an SPF record.
4. Log in to Kitterman SPF Record Testing Tool - https://www.kitterman.com/spf/validate.html
5. Type in your "Domain Name" and click "Get SPF Record" (if any).
6. Your SPF record should look similar to this example.
It should NOT return a record that includes the text include:o365.crossware.co.nz -all
6. Your SPF record should look similar to this example.
It should NOT return a record that includes the text include:o365.crossware.co.nz -all

You will need to update your SPF record to include a list of Crossware Mail Servers as an allowable sender from your domain.
7. Update your SPF record in your DNS to include
Depending on the Region you have been Provisioned in:
Region
|
Use SPF Record
|
Trial
|
include:o365.crossware.co.nz -all
|
Australia
Australia K1
|
include:aus.o365.crossware.co.nz -all
include:aus-k1.o365.crossware.co.nz -all
|
Canada
Canada K1 |
include:canada.o365.crossware.co.nz -all
include:can-k1.o365.crossware.co.nz -all |
Europe
Europe K1 Europe K2 Europe K3 |
include:europe.o365.crossware.co.nz -all
include:eu-k1.o365.crossware.co.nz -all include:eu-k2.o365.crossware.co.nz -all include:eu-k3.o365.crossware.co.nz -all |
France
|
include:france.o365.crossware.co.nz -all
|
USA
USA K1 |
include:usa.o365.crossware.co.nz -all
include:us-k1.o365.crossware.co.nz -all |
United Arab Emirates
|
include:uae-k1.o365.crossware.co.nz -all
|
QAT-K1 | include:qat-k1.o365.crossware.co.nz -all |
ALL* | include:o365.crossware.co.nz -all |
*Please only use ALL if you have been Provisioned in Production before 25 November 2018
Example: v=spf1 include:spf.protection.outlook.com include:aus-k1.o365.crossware.co.nz -all
NOTE: How to do this for this will vary depending on your configuration - check with your Network Administrator for assistance.
An example of a DNS record that has been updated to include the include:o365.crossware.co.nz -all value:

8. Use the Kitterman SPF Record Testing Tool (https://www.kitterman.com/spf/validate.html) again to confirm that include:o365.crossware.co.nz -all appears in your SPF records.
Type in your Domain Name and click Get SPF Record (if any)

The results should look like this example below:

NOTE: You will need to allow time for the DNS record changes to propagate which may take up to 24 hours.
9. Send a test email to any external email address to check that your emails are now being sent.