Need help setting up SPF Record

Posted on 2007-04-03
Last Modified: 2008-02-01
We are trying to setup an SPF using the Microsoft SPF Record Wizard website. I am a little confused on what IP addresses and or name I should use. Hopefully I can explain this without making things even more confusing.

We have a couple of different domain names that we can receive email with. The two below are good examples.

Using the wizard to lookup the SPF
No MX record found
A Record
A Record
MX Record

My domain name uses the .us and not the .aero— is displayed in AD . When I use the SPF wizard it doesn’t find an MX record for the .us but only for the .aero. It does find an A record for both. If I type in the IP address of the A Record its takes us to the site that we registered our domain name with.  The MX record for the .aero points directly to our static exchange IP address.

We are using Server 2003, and Exchange 2003. The Exchange server is for both outbound and inbound mail.

I would have used the .aero address however, anytime we recieve a response back that an email wasnt delivered it has in the message < #5.4.0>.

Any help with would be appreciated.
Question by:stevensims
  • 3
  • 3

Expert Comment

ID: 18846138
Did you try putting in the info into the SPF Wizard by hand, rather than let it pick?  If you know all your mail server addresses, you should still be able to use the wizard but manually input your IP or server names.  Then just take the resulting txt and add the TXT record in DNS.
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 18846157
It looks like the public name of your mail server is, not  By your description, what I'm guessing is that is your internal (AD) domain name and is your publicly registered domain name.You can confirm this by going to and running DNSreports against your domain using the .aero domain.  That would be the name that you need to use in your SPF setup.  

Author Comment

ID: 18846669
I went to DNSstuff and did the DNSreport. One section did fail when I ran that test.

NS section
All nameservers respond Failed
ERROR: Some of your nameservers listed at the parent nameservers did not respond. The ones that did not respond are:
Note: If you are running a Watchguard Firebox with DNS Proxy enabled, there may be a bug causing port numbers get mixed up -- if this is the case, you can contact Watchguard to see if they have a fix.

In the MX section everything passed and had the with our exchange static IP address listed.

In Mail section we had two warnings. One was no SPF and the other was a Mail server host name greeting— claims to be non-existent host (This of course is actually the correct name for our email server.)

I went to the SPF setup website (not Microsoft) and it has our domain name .aero assigned to an external IP address --which is the site we have our website through.

The has to be a public domain name, however is also assigned that same external IP address. Please correct me if I am wrong, I am assuming a user sends an email to myself it would first go to the (Public) and then it would find that domain registered to It would then send the email to our internal domain of (our exchange external IP)..Is that somewhat correct?

In setting up the SPF will I need both the external public IP address and our Exchange IP address?
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

LVL 38

Accepted Solution

Hypercat (Deb) earned 125 total points
ID: 18846759
Your internal AD domain name is irrelevant in this scenario. If your statement that " is also assigned to that public IP address" is in fact correct, then you might need to fix this.  Unless "" is a publicly registered domain name, there should NOT be a public DNS record resolving to that IP address.  

As far as email, the public MX record points to  The MX record is the only DNS record that affects where your email goes.  The warning you saw in the dnsreport referring to the mail server host name greeting is appearing because your mail server is misconfigured.  You really should fix this. Although 99% of the time it doesn't cause any problems, with SPF I believe it will.  To fix it:

1. In the Exchange ESM, go to the properties of the SMTP virtual server.
2. Go to the Delivery tab and click the Advanced button.
3. In the Fully qualified domain name box, type:

You said that in AD, all your users have a email address, and this is where all of your external email is delivered. You need to make sure that this is also set as the default email address.  Again, unless is a publicly registered domain name that you want to use to receive email, you should eliminate the addresses entirely - remove them from your RUS - you really don't need them.  If you do want to use as a public email address, then you would have to set up a public MX record for that domain.

Author Comment

ID: 18846900
Hi Hypercat,

I am not the original IT guy that set everything up, so I am not for sure why it is setup this way but we can receive emails with either .aero or .us. In active directory we have all of our users assigned with both (, If everything was setup with just the .aero i don’t think I would have had any problems. The .us was part of my confusion.
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 18846978
Yeah, I can see why.  Unless I've misunderstood something or there's something out there in your configuration that you don't know about or haven't described, you really don't need those other addresses.  However, if you're at all unsure, you can leave them there.  As long as the addresses are set as the primary (default) addresses, then everything should work fine.  You can always check with your domain registry provider to see if the is actually registered if you don't know.

Looking again at your first post, I just noticed that it appears that there isn't any A record for the server name  Unless you left it out by mistake.  You need to have this A record in place to resolve the host name to your public IP address.  If you need to double-check this, do a lookup through DNSstuff for A and MX records for and see what you find.  You should see an A record for your public IP resolving to and an MX record pointing to

Author Comment

ID: 18847127
Yes it did have that: MX record   (Public Exchange IP address) A record         (Public IP address)

It seems like everything is setup correctly.


Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
Utilizing an array to gracefully append to a list of EmailAddresses
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to:…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now