Exchange 2016 returning 550 5.7.1 when sending to our domain using 3rd party email sender sending on behalf of our domain

Question

We have an on-premise Exchange 2016 server. Mail flow is normal. However, recently we started using a 3rd party email service to send out our newsletters (Klaviyo). When we send out campaigns our Exchange server is rejecting the emails that are being sent to our own domain. This is what I see in our Exchange logs.

{[{LED=550 5.7.1 Send ID (PRA) Not permitted};{MSG=};{FQDN=};{IP=192.xxx.xxx.xxx};{LRT=}]}

I have an SPF record set up, however, Kalviyo uses dynamic IPs and I can't add them to the SPF record. They are sending from send.ourdomain.com. It's possible my SPF record is incorrect.

v=spf1 ip4:xxx.xxx.xxx.xxx ip4:xxx.xxx.xxx.xxx include:servers.mcsv.net -all include:send.ourdomain.com -all

I didn't set up the Exchange server, so I don't know if the issue is with an Exchange setting, or with our SPF record.

Where are all the places I need to look that would be able to create this reject error so I can resolve this issue?

Answer 1

If your SPF record is indeed the following:

v=spf1 ip4:xxx.xxx.xxx.xxx ip4:xxx.xxx.xxx.xxx include:servers.mcsv.net -all include:send.ourdomain.com -all

Then it is malformed. The -all should only be at the end. You have it in the middle and at the end. If you provide your actual domain name we can look up your SPF record to verify that it's malformed or if that was just a typo in your question.