I've read through your question a few times and have a feeling I know what
might be wrong. If I'm right then it's not a problem with Exim, but that
you're missing one or more SPF records.
I think you're saying that:
1. Someone sends a message to the non-existent email address <
2. This message goes out via the mail service running on
3. The server finds the recipient email address is not valid so creates
a Non-Delivery Notification (NDN) to send back to the person who wrote the
4. This NDN is then either rejected, or received with a warning, by the
Cisco ESA because SPF failed as shown in the "Received-SPF:" header you
Is that correct?
If it is, then check you have got an SPF record set up for the name that
the mail server running on corp17.company.com.
When you send a normal message the sender address in the SMTP envelope (the
"MAIL FROM" address) is usually that of the person sending the message.
When the receiving mail server performs an SPF check it gets the domain
name of this email address and looks up its SPF record in the DNS, then
checks the IP address of the transmitting server against that record.
However a Non Delivery Notification is different; its sender address in the
SMTP envelope is the special empty address "<>". As you can see, being
empty it has no domain name. So a mail server receiving an NDN can't get a
domain name form there to look up an SPF record.
Instead it uses the string the server used to identify itself in the
HELO/EHLO command it issued when it connected and uses that as the domain
name to look up an SPF record for.
So if your corp17.company.com mail server:
- generates an NDN (ie, a message with an empty MAIL FROM address in the
SMTP envelope), and
- connects to the mail service on a system that checks SPF records, and
- identifies itself in the HELO/EHLO string as "corp17.company.com", then
- the receiving mail system will look for a TXT record in the DNS named "
corp17.company.com" to get the SPF record to check against.
I made exactly the same mistake when I first set up SPF here, not realising
I had to set up an SPF record in the DNS for each of our outgoing mail
servers. (Or, more accurately, the domain name they identify themselves as
in their HELO/EHLO greeting: which happens to also be their actual host
So here I have:
- an SPF record for our "york.ac.uk" domain so that normal emails have
their MAIL FROM address checked against this record, and
- an SPF record for each mail server that might generate an NDN so that
NDNs (ie, messages with "<>" as the MAIL FROM address) are authenticated
- york.ac.uk. IN TXT "v=spf1 ..."
- mailgw0.york.ac.uk. IN TXT "v=spf1 a -all"
- mailgw1.york.ac.uk. IN TXT "v=spf1 a -all"
- and so on
The individual SPF records for each mail server only need to identify
themselves (by using the "A" mechanism) and no others (by using the "-all"
To confirm this you can read the FAQ/Common Mistakes page at the OpenSPF
web site, in particular the question entitled *Publish SPF records for HELO
names used by your mail servers*:
You can also find the recommendations in the RFC for SPF:
- For the HELO identity: https://tools.ietf.org/html/rfc7208#section-2.3
- For bounces (NDNs): https://tools.ietf.org/html/rfc7208#section-10.1.3
*The First Step You Should Do*
The very first thing you should do is check your Exim logs to make sure
what I've written applies to you. That is, that the Non-Delivery
Notification is going out with a MAIL FROM address of "<>" in its SMTP
envelope. If your Exim logs show it it really does have "
postmas...@corp17.company.com" in the MAIL FROM address instead then:
- the solution I describe above doesn't apply to you, and
- your "NDN" isn't actually an NDN! (Those should have an empty "<>"
address as the MAIL FROM in the SMTP envelope.)
On 10 April 2018 at 16:51, Nazarevych Ol via Exim-users <firstname.lastname@example.org
> Hello, we have an issue with Non-Delivery Notification NDN in Exim 4.90_1
> There are 2 mail servers Exim and one as Email Spam Filtering - Cisco
> Ironport (ESA)
> The Primary Mail server:
> primary_hostname = main1.company.com, qualify_domain = company.com
> The Internal server for mass mailing:
> primary_hostname = corp17.company.com and the qualify_domain = company.com
> As MX server for domain company.com acts Cisco ESA so the all
> correspondence goes thru for a spam filtration.
> SPF, DKIM, and DMARK records configured correctly and everything works as
> well expect NDN Notification
> For SPF used rule for example:
> v=spf1 a mx ip4:126.96.36.199 ip4:188.8.131.52 ip4:184.108.40.206 -all
> But when someone try to sending an email through Internal server
> corp17.company.com to non existing email address for example
> the corp17.company.com forms a NDN mail to user from company.com domain
> and trying to sent it through MX server - Cisco ESA. As there were SPF
> configured for domain company.com Cisco ESA check field and report that
> Received-SPF: None (esa.company.com: no sender authenticity information
> available from domain of
> postmas...@corp17.company.com) identity=helo; client-ip=220.127.116.11;
> envelope-from=""; x-sender="postmas...@corp17.company.com";
> Off course there is no SPF records for domain: corp17.company.com - its
> only primary_hostname of the server.
> Why "Internal server" use primary_hostname instead qualify_domain ?
> I'll trying to set dsn_from = Mail Delivery System <Mailer-Daemon@
> $qualify_domain> but receive the same message above.
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
Systems Administrator & Change Manager
IT Services, University of York, Heslington, York YO10 5DD, UK
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/