Link to home
Start Free TrialLog in
Avatar of osiexchange
osiexchange

asked on

I need to create an SPF record for our Domain. Have some questions

We are running a mix of Exchange 2003 and Exchange 2007. Right now, I have four SMTP servers sending email to the Internet. Two 2003 and two 2007. They all have proper reverse lookups in DNS. We host our own DNS. I have been reading up on SPF records and I know we don't have any defined for our Domain. Is this something that others are doing, and what are the downfalls if any? I am guessing I just put these records on our Public DNS servers. Has anyone else done this and not had a problem with mail flow. I am concerned that I might disrupt mail flow. Are there any good articles on how to do this in a typical Exchange environment.
ASKER CERTIFIED SOLUTION
Avatar of tigermatt
tigermatt
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of osiexchange
osiexchange

ASKER

Thanks that input. Let me ask this. If the receiving server has implemented SPF checking and the sender has not implemented SPF records, what happens to the email? In the absence of an SPF record of any kind on the sender side, does it just stop the checking. I can't imagine it will block anything  because like stated, a lot of servers don't have SPF records.
If the receiving server is configured correctly and has implemented SPF, then it will check the SPF records. If an SPF record exists for your domain, then it will cross-check all the information to ensure it is accurate before the message is accepted.

Without an SPF implementation for a particular mail domain, the message must still be accepted. Take up of SPF on sending email domains is not enough at this stage for mail servers to reject mail where the sending domain has no SPF.

-tigermatt
OK, so what I get from all this is if you are going to do SPF, then you need to do it right and be accurate or you could have problems. Otherwise, don't do it at all. I just need to find every server in my network that sends email and make sure its listed in the SPF records. Seems to me that if we decided to do SPF checking ourselves, that could also lead to problems because companies that are sending to us my try to SPF, but do it incorrectly such as not include all smtp server IP addresses, and we would reject their emails.
Yes, if you implement SPF then you need to get things right. You also need to remember that it is the PUBLIC names and IPs that you need to register on the SPF record, not the internal names or IP addresses.

If you start checking SPF, then companies should have already sorted out their records and got things running. It's their problem if you start rejecting their mail - they will soon receive NDR messages galore and will have to do something about it. Without checking SPF records, your server will just be another one out of the hundreds out there which isn't supporting this new standard.

-tigermatt
OK, thanks for all this info. The reason I bring this up is we use Barracuda network appliances to accept all inbound email and there is a setting for SPF checking. The recommended default from Barracuda is to leave it off because it loads down the appliance doing all the checking on every email.