Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Message Getting blocked for domain which do not pass SPF req

Can anybody help me out as some of the message Getting blocked for domain which do not pass SPF requirements and the blocked domains are already added in White List (Trusted Domains)

Community Member

Sure can...


I'll help you out, so feel free to post some information.

However I'm going to take a stab at the problem. The biggest mistake that people make when adding a domain to the HAT White List is they put the domain name in without a period, example "". From an IronPort perspective this would only match one host...the host with a PTR record for and the A record that points back to the IP address.

What you want to do is insure that you have a period in front of the domain name, new example "". This entry basically says we'll take any FQDN with the domain of so this would match,, outbound, etc. etc.

The second mistake that people make with the HAT is that they are under the impression that they can put the domain name that will be utilized in the MAIL FROM in the conversation. So going back to the domain, let's say that has a business unit called but all the mail goes through What some users do is put into the HAT but the problem is the IronPort compares data in the HAT to the DNS information of the sending server.

So in the above problem the HAT will never see anything for because all the mail comes from which would be the proper entry for the HAT file.

Hope this helps.


Jay Bivens
IronPort Systems

CreatePlease to create content