How to set up a SPF record

I need help with something I do not really understand.  I am getting over a thousand delivery errors within a few minutes because some spammer is using one of my email address as the "reply to" address on the junk they are sending out.  I understand that the SPF record is supposed to help prevent this from happening, but I can't seem to figure out how to set this up properly.

Let me first describe the environment I have:

Four Dell Windows2003 servers:
Exchange2003 Server  ES01  xx.xx.xx.157
Domain Controller Server  DC01  xx.xx.xx.190
Web Server  WS01  xx.xx.xx.131 - 150
Web Server  WS02  xx.xx.xx.156
I am hosting several domain names on the web servers and accept email for all of them on the Exchange server.

My understanding is that I should add the SPF record to the DNS server on DC01.  (Is that a correct assumption?)

How do I include all the domains in the SPF record?  (Or do I create multiple records for each domain?)

Initially, I had just:

v=spf1 mx ~all

in the DNS of the primary domain on DC01.  I have also tried other variations:
v=spf1 mx a:ES01 include:domain1.com ~all
v=spf1 mx ptr mx:smtp.domain1.com ip4:65.98.147.157 mx:domain2.com ~all

None seem to be working based on testing at:
http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/ 

Can anyone walk me through what this record (or records) need to look like so that I can verify it works via the microsoft test site listed above?

grhelmAsked:
Who is Participating?
 
pablovrConnect With a Mentor Commented:
When I did it, I established the SPF record in the ISP´s DNS, not in my Domain Controller.

Here is a page with information and examples regarding SPF:

http://www.openspf.org/Introduction
0
 
ScottGranadoConnect With a Mentor Commented:
The record you have in place
"v=spf1 mx ~all"  should probaly be "v=spf1 mx -all"

The diffrence is that the tilde means that if it doesn't match then the server can still let the email pass.  With the minus you are saying.  If the sending server does not match one of my MX servers for my domain then you should drop it.  this is what the -all is for.
0
 
grhelmAuthor Commented:
ScottGranado,

I have updated the entry to "v=spf1 mx -all"  However, when I run the Microsoft test, I still get:
===================================================================================
No SPF Record Found. A and MX Records Available
No SPF record has been found for the domain xxxxx.com. However, MX and/or A records currently exist for this domain.
 
Addresses Listed in A records
xx.xx.xx.135
Mail Servers Listed in MX Records
smtp.xxxxx.com xx.xx.xx.157
 
This information may be of assistance in creating your new SPF record.
===================================================================================
Does adding/changing the SPF entry have an immediate affect or does it take some sort of action (or time) to implement the change?
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
ScottGranadoConnect With a Mentor Commented:
Hey Grhelm,

a txt record such as a spf has TTL values associated as well.  this means that it does take time to propagate back out if you change the spf record and its cached.  The best bet is to try another spf checker that you've never used before, and therefore, will not have your query cached.  Try: http://old.openspf.org/wizard.html

Also, reviewing the error message you posted, it is actually saying there is no spf record.  not that the spf record is incorrect.  Make sure in DNS for your domain the SPF is  TXT record.  You can check this by going to http://iptools.com/ and putting in your domain in the DNS Lookup tool and choosing TXT from the drop down.
0
 
grhelmAuthor Commented:
ScottGranado,

When I go to http://old.openspf.org/wizard.html, the site is preloded with the domain of my ISP???

The second site gives me the folllowing reponse:
===================================================================================
; <<>> DiG 9.2.4 <<>> -t TXT grhelm.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57686
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;xxxxx.com. IN TXT

;; AUTHORITY SECTION:
xxxxx.com. 10800 IN SOA ns25.domaincontrol.com. dns.jomax.net. 2006090400 28800 7200 604800 86400

;; Query time: 53 msec
;; SERVER: 70.84.160.11#53(70.84.160.11)
;; WHEN: Wed Oct 8 11:08:29 2008
;; MSG SIZE rcvd: 96
===================================================================================
I have attached a screenshot of the SPF entry.



spf.JPG
0
 
ScottGranadoCommented:
yea it defintily doesn't look like your DNS server is sending out your TXT record:

This is what i get when i look up the txt record for grhelm.com:
> nslookup
> set type=txt
> grhelm.com
Server:  xxxxxxx
Address:  10.6.24.5

grhelm.com
        primary name server = ns25.domaincontrol.com
        responsible mail addr = dns.jomax.net
        serial  = 2006090400
        refresh = 28800 (8 hours)
        retry   = 7200 (2 hours)
        expire  = 604800 (7 days)
        default TTL = 86400 (1 day)

do you have a TXT record on your public facing authoritative dns server?
0
 
grhelmAuthor Commented:
What is a "public facing authoritative dns server"??

AI have a domin controller and that is where I have been putting this stuff...

Thanks.
0
 
grhelmAuthor Commented:
"All I have..."
0
 
ScottGranadoConnect With a Mentor Commented:
is your domain controller handling the DNS for this domain?  is this server accessible from the net?  If the domain your having problems with is grhelm.com then the NS server is pointing to ns25.domaincontrol.com so you would have to modify the SPF record on this server.
0
 
grhelmAuthor Commented:
Hmm,

ns25.domaincontrol.com is at godaddy.com.

And it does look like they give me the option to set up a SPF record there...

I guess now  I need to figure out how to use their "wizard" to set this up....
0
 
grhelmAuthor Commented:
The wizard created this:

v=spf1 a mx include:xxxx.com -all  

(where xxxx.com is the ISP)
0
 
pablovrConnect With a Mentor Commented:
Is I said at the beginning, you should be doing this at your ISP´s DNS.
0
 
grhelmAuthor Commented:
pablovr,

Okay, I'll give you that.

It looks like the one I created above is now visable, do I need to do the same thing for every domain name I have?
0
 
ScottGranadoCommented:
yes thats correct
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.