Need help setting up SPF Record

We are trying to setup an SPF using the Microsoft SPF Record Wizard website. I am a little confused on what IP addresses and or name I should use. Hopefully I can explain this without making things even more confusing.

We have a couple of different domain names that we can receive email with. The two below are good examples.

user@domain.us
user@domain.aero

Using the wizard to lookup the SPF

domain.us
No MX record found
A Record 208.255.91.52

domain.aero
A Record 208.255.91.52
MX Record 66.xx.xxx.xx
mail.domain.aero


My domain name uses the .us and not the .aero—domain.us is displayed in AD . When I use the SPF wizard it doesn’t find an MX record for the .us but only for the .aero. It does find an A record for both. If I type in the IP address of the A Record its takes us to the site that we registered our domain name with.  The MX record for the .aero points directly to our static exchange IP address.

We are using Server 2003, and Exchange 2003. The Exchange server is for both outbound and inbound mail.

I would have used the .aero address however, anytime we recieve a response back that an email wasnt delivered it has in the message <Server.domain.us #5.4.0>.

Any help with would be appreciated.
LVL 1
stevensimsAsked:
Who is Participating?
 
Hypercat (Deb)Connect With a Mentor Commented:
Your internal AD domain name is irrelevant in this scenario. If your statement that "domain.us is also assigned to that public IP address" is in fact correct, then you might need to fix this.  Unless "domain.us" is a publicly registered domain name, there should NOT be a public DNS record resolving domain.us to that IP address.  

As far as email, the public MX record points to mail.domain.aero.  The MX record is the only DNS record that affects where your email goes.  The warning you saw in the dnsreport referring to the mail server host name greeting is appearing because your mail server is misconfigured.  You really should fix this. Although 99% of the time it doesn't cause any problems, with SPF I believe it will.  To fix it:

1. In the Exchange ESM, go to the properties of the SMTP virtual server.
2. Go to the Delivery tab and click the Advanced button.
3. In the Fully qualified domain name box, type: mail.domain.aero.

You said that in AD, all your users have a domain.aero email address, and this is where all of your external email is delivered. You need to make sure that this is also set as the default email address.  Again, unless domain.us is a publicly registered domain name that you want to use to receive email, you should eliminate the domain.us addresses entirely - remove them from your RUS - you really don't need them.  If you do want to use domain.us as a public email address, then you would have to set up a public MX record for that domain.
0
 
MCPJoeCommented:
Did you try putting in the info into the SPF Wizard by hand, rather than let it pick?  If you know all your mail server addresses, you should still be able to use the wizard but manually input your IP or server names.  Then just take the resulting txt and add the TXT record in DNS.
0
 
Hypercat (Deb)Commented:
It looks like the public name of your mail server is mail.domain.aero, not mail.domain.us.  By your description, what I'm guessing is that domain.us is your internal (AD) domain name and domain.aero is your publicly registered domain name.You can confirm this by going to DNSstuff.com and running DNSreports against your domain using the .aero domain.  That would be the name that you need to use in your SPF setup.  
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
stevensimsAuthor Commented:
I went to DNSstuff and did the DNSreport. One section did fail when I ran that test.

NS section
All nameservers respond Failed
ERROR: Some of your nameservers listed at the parent nameservers did not respond. The ones that did not respond are:
65.211.123.36
Note: If you are running a Watchguard Firebox with DNS Proxy enabled, there may be a bug causing port numbers get mixed up -- if this is the case, you can contact Watchguard to see if they have a fix.

In the MX section everything passed and had the mail.domain.aero with our exchange static IP address listed.

In Mail section we had two warnings. One was no SPF and the other was a Mail server host name greeting—mail.domain.aero claims to be non-existent host server.domain.us. (This of course is actually the correct name for our email server.)

I went to the SPF setup website (not Microsoft) and it has our domain name .aero assigned to an external IP address --which is the site we have our website through.

The domain.aero has to be a public domain name, however domain.us is also assigned that same external IP address. Please correct me if I am wrong, I am assuming a user sends an email to myself it would first go to the domain.aero (Public) and then it would find that domain registered to domain.us. It would then send the email to our internal domain of domain.us (our exchange external IP)..Is that somewhat correct?

In setting up the SPF will I need both the external public IP address and our Exchange IP address?
0
 
stevensimsAuthor Commented:
Hi Hypercat,

I am not the original IT guy that set everything up, so I am not for sure why it is setup this way but we can receive emails with either .aero or .us. In active directory we have all of our users assigned with both (user1@domain.aero, user1@domain.us). If everything was setup with just the .aero i don’t think I would have had any problems. The .us was part of my confusion.
0
 
Hypercat (Deb)Commented:
Yeah, I can see why.  Unless I've misunderstood something or there's something out there in your configuration that you don't know about or haven't described, you really don't need those other addresses.  However, if you're at all unsure, you can leave them there.  As long as the @domain.aero addresses are set as the primary (default) addresses, then everything should work fine.  You can always check with your domain registry provider to see if the domain.us is actually registered if you don't know.

Looking again at your first post, I just noticed that it appears that there isn't any A record for the server name mail.domain.aero.  Unless you left it out by mistake.  You need to have this A record in place to resolve the host name mail.domain.aero to your public IP address.  If you need to double-check this, do a lookup through DNSstuff for A and MX records for domain.aero and see what you find.  You should see an A record for your public IP resolving to mail.domain.aero and an MX record pointing to mail.domain.aero.
0
 
stevensimsAuthor Commented:
Yes it did have that:

domain.aero MX record
mail.domain.aero            66.xxx.xx.x (Public Exchange IP address)

domain.aero A record
domain.aero                  208.255.91.52 (Public IP address)

It seems like everything is setup correctly.

0
All Courses

From novice to tech pro — start learning today.