Mail that is returned from our Mail Guard platform with the following error will indicate that the sending email failed to validate against the domain administrators SPF (Sender Policy Framework) record.
<5.7.1 <firstname.lastname@example.org>: Recipient address rejected: Rejected by SPF: 18.104.22.168 is not a designated mailserver for email@example.com (context mfrom, on xxx.xscanner.net); from=<firstname.lastname@example.org> to=<email@example.com> proto=ESMTP helo=<sendingserver.host.com>
SPF is an authentication method that a domain administrator can set which sets out which IP addresses can send mail for their domain and this is used to prevent a domain being used by spammers, or to limit reach of spam sent from a domain from an authorised server.
A SPF reject will occur when either the domain is incorrectly setup for SPF, such as the domain owner sending from an IP which they have not added to the SPF entry, or where the mail is forwarded by a third party where the mail was originally sent to another domain but then forwarded to a different domain hosted with us.
The latter is far more common and is a technical challenge in how SPF is implemented. Thankfully, SRS (Sender Rewriting Scheme) fixes this by rewriting the sending address at the SMTP level so that it comes from a hostname owned by the mail forwarding company so our servers see that domain instead of the original envelope sender and thus has a valid SPF. The address seen in the clients email client still remains as the original sender address.
Email providers such as Gmail, automatically enforce SRS on all messages forwarded with no user configuration and this applies to most hosts. There are some hosts who only offer this on-demand which means you need to ask them to enable before it will start to work.
For hosts that do not offer SRS, there is no work around and the only option would be to move the domain to a host that does or natively add the domain to your hosting account with us so that mail is delivered natively.