FortiMail
FortiMail provides advanced, multi-layer protection against the full spectrum of email-borne threats
cysaw
Staff
Staff
Article Id 354916
Description

This article describes how to troubleshoot the 'SPF=TEMP-ERROR DNS error during evaluation'.

Scope FortiMail.
Solution
  1. When the issue 'SPF=TEMP-ERROR DNS error during evaluation' happens, the below FortiMail log will be generated in the FortiMail Cross-search log.

    SPF: spf record could not be found
    SPF: temp error when querying DNS record
    SPF=TEMP-ERROR: (envelope from: user1@domain.com) DNS error during evaluation of domain.com

 

  1. Check the FortiMail's system event log to See if there is any connection issue between the configured DNS server and FortiMail.

  2. FortiMail will not log DNS status changes frequently, so if the below DNS logs are generated in FortiMail, it might indicate a connection issue between the DNS server and FortiMail.

    DNS: Server x.x.x.x UDP status change (warning->ok).
    DNS: Server x.x.x.x is not reachable or is responding slowly via UDP (alert->warning).
    DNS: No UDP response from server x.x.x.x (warning->alert).

 

  1. Try to change the DNS server to a private DNS server or any other DNS server to verify the result.

 

  1. Disable all the security scanning and SSL inspection on the upstream router to isolate the issue.

 

  1. If the issue persists, perform the traffic capture in the FortiMail and check whether there is any error response from the DNS server or there is no response at all from the DNS server.

 

  1. For example, the below traffic capture indicated the DNS server had responded 'Server failure' to the FortiMail. Therefore, it is possible to try to change to any other DNS server and verify the result.

    cysaw_0-1730616233641.png