Solved

How to set up a SPF record

Posted on 2008-10-06
14
2,112 Views
Last Modified: 2012-06-27
I need help with something I do not really understand.  I am getting over a thousand delivery errors within a few minutes because some spammer is using one of my email address as the "reply to" address on the junk they are sending out.  I understand that the SPF record is supposed to help prevent this from happening, but I can't seem to figure out how to set this up properly.

Let me first describe the environment I have:

Four Dell Windows2003 servers:
Exchange2003 Server  ES01  xx.xx.xx.157
Domain Controller Server  DC01  xx.xx.xx.190
Web Server  WS01  xx.xx.xx.131 - 150
Web Server  WS02  xx.xx.xx.156
I am hosting several domain names on the web servers and accept email for all of them on the Exchange server.

My understanding is that I should add the SPF record to the DNS server on DC01.  (Is that a correct assumption?)

How do I include all the domains in the SPF record?  (Or do I create multiple records for each domain?)

Initially, I had just:

v=spf1 mx ~all

in the DNS of the primary domain on DC01.  I have also tried other variations:
v=spf1 mx a:ES01 include:domain1.com ~all
v=spf1 mx ptr mx:smtp.domain1.com ip4:65.98.147.157 mx:domain2.com ~all

None seem to be working based on testing at:
http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/

Can anyone walk me through what this record (or records) need to look like so that I can verify it works via the microsoft test site listed above?

0
Comment
Question by:grhelm
  • 7
  • 5
  • 2
14 Comments
 
LVL 9

Accepted Solution

by:
pablovr earned 200 total points
Comment Utility
When I did it, I established the SPF record in the ISP´s DNS, not in my Domain Controller.

Here is a page with information and examples regarding SPF:

http://www.openspf.org/Introduction
0
 
LVL 2

Assisted Solution

by:ScottGranado
ScottGranado earned 300 total points
Comment Utility
The record you have in place
"v=spf1 mx ~all"  should probaly be "v=spf1 mx -all"

The diffrence is that the tilde means that if it doesn't match then the server can still let the email pass.  With the minus you are saying.  If the sending server does not match one of my MX servers for my domain then you should drop it.  this is what the -all is for.
0
 

Author Comment

by:grhelm
Comment Utility
ScottGranado,

I have updated the entry to "v=spf1 mx -all"  However, when I run the Microsoft test, I still get:
===================================================================================
No SPF Record Found. A and MX Records Available
No SPF record has been found for the domain xxxxx.com. However, MX and/or A records currently exist for this domain.
 
Addresses Listed in A records
xx.xx.xx.135
Mail Servers Listed in MX Records
smtp.xxxxx.com xx.xx.xx.157
 
This information may be of assistance in creating your new SPF record.
===================================================================================
Does adding/changing the SPF entry have an immediate affect or does it take some sort of action (or time) to implement the change?
0
 
LVL 2

Assisted Solution

by:ScottGranado
ScottGranado earned 300 total points
Comment Utility
Hey Grhelm,

a txt record such as a spf has TTL values associated as well.  this means that it does take time to propagate back out if you change the spf record and its cached.  The best bet is to try another spf checker that you've never used before, and therefore, will not have your query cached.  Try: http://old.openspf.org/wizard.html

Also, reviewing the error message you posted, it is actually saying there is no spf record.  not that the spf record is incorrect.  Make sure in DNS for your domain the SPF is  TXT record.  You can check this by going to http://iptools.com/ and putting in your domain in the DNS Lookup tool and choosing TXT from the drop down.
0
 

Author Comment

by:grhelm
Comment Utility
ScottGranado,

When I go to http://old.openspf.org/wizard.html, the site is preloded with the domain of my ISP???

The second site gives me the folllowing reponse:
===================================================================================
; <<>> DiG 9.2.4 <<>> -t TXT grhelm.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57686
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;xxxxx.com. IN TXT

;; AUTHORITY SECTION:
xxxxx.com. 10800 IN SOA ns25.domaincontrol.com. dns.jomax.net. 2006090400 28800 7200 604800 86400

;; Query time: 53 msec
;; SERVER: 70.84.160.11#53(70.84.160.11)
;; WHEN: Wed Oct 8 11:08:29 2008
;; MSG SIZE rcvd: 96
===================================================================================
I have attached a screenshot of the SPF entry.



spf.JPG
0
 
LVL 2

Expert Comment

by:ScottGranado
Comment Utility
yea it defintily doesn't look like your DNS server is sending out your TXT record:

This is what i get when i look up the txt record for grhelm.com:
> nslookup
> set type=txt
> grhelm.com
Server:  xxxxxxx
Address:  10.6.24.5

grhelm.com
        primary name server = ns25.domaincontrol.com
        responsible mail addr = dns.jomax.net
        serial  = 2006090400
        refresh = 28800 (8 hours)
        retry   = 7200 (2 hours)
        expire  = 604800 (7 days)
        default TTL = 86400 (1 day)

do you have a TXT record on your public facing authoritative dns server?
0
 

Author Comment

by:grhelm
Comment Utility
What is a "public facing authoritative dns server"??

AI have a domin controller and that is where I have been putting this stuff...

Thanks.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:grhelm
Comment Utility
"All I have..."
0
 
LVL 2

Assisted Solution

by:ScottGranado
ScottGranado earned 300 total points
Comment Utility
is your domain controller handling the DNS for this domain?  is this server accessible from the net?  If the domain your having problems with is grhelm.com then the NS server is pointing to ns25.domaincontrol.com so you would have to modify the SPF record on this server.
0
 

Author Comment

by:grhelm
Comment Utility
Hmm,

ns25.domaincontrol.com is at godaddy.com.

And it does look like they give me the option to set up a SPF record there...

I guess now  I need to figure out how to use their "wizard" to set this up....
0
 

Author Comment

by:grhelm
Comment Utility
The wizard created this:

v=spf1 a mx include:xxxx.com -all  

(where xxxx.com is the ISP)
0
 
LVL 9

Assisted Solution

by:pablovr
pablovr earned 200 total points
Comment Utility
Is I said at the beginning, you should be doing this at your ISP´s DNS.
0
 

Author Comment

by:grhelm
Comment Utility
pablovr,

Okay, I'll give you that.

It looks like the one I created above is now visable, do I need to do the same thing for every domain name I have?
0
 
LVL 2

Expert Comment

by:ScottGranado
Comment Utility
yes thats correct
0

Featured Post

Want to promote your upcoming event?

Is your company attending an event or exhibiting at a trade show soon? Are you speaking at a conference? Spread the word by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

Join & Write a Comment

Suggested Solutions

Utilizing an array to gracefully append to a list of EmailAddresses
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now