Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

How to set up a SPF record

Posted on 2008-10-06
14
Medium Priority
?
2,128 Views
Last Modified: 2012-06-27
I need help with something I do not really understand.  I am getting over a thousand delivery errors within a few minutes because some spammer is using one of my email address as the "reply to" address on the junk they are sending out.  I understand that the SPF record is supposed to help prevent this from happening, but I can't seem to figure out how to set this up properly.

Let me first describe the environment I have:

Four Dell Windows2003 servers:
Exchange2003 Server  ES01  xx.xx.xx.157
Domain Controller Server  DC01  xx.xx.xx.190
Web Server  WS01  xx.xx.xx.131 - 150
Web Server  WS02  xx.xx.xx.156
I am hosting several domain names on the web servers and accept email for all of them on the Exchange server.

My understanding is that I should add the SPF record to the DNS server on DC01.  (Is that a correct assumption?)

How do I include all the domains in the SPF record?  (Or do I create multiple records for each domain?)

Initially, I had just:

v=spf1 mx ~all

in the DNS of the primary domain on DC01.  I have also tried other variations:
v=spf1 mx a:ES01 include:domain1.com ~all
v=spf1 mx ptr mx:smtp.domain1.com ip4:65.98.147.157 mx:domain2.com ~all

None seem to be working based on testing at:
http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/ 

Can anyone walk me through what this record (or records) need to look like so that I can verify it works via the microsoft test site listed above?

0
Comment
Question by:grhelm
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 2
14 Comments
 
LVL 9

Accepted Solution

by:
pablovr earned 800 total points
ID: 22654845
When I did it, I established the SPF record in the ISP´s DNS, not in my Domain Controller.

Here is a page with information and examples regarding SPF:

http://www.openspf.org/Introduction
0
 
LVL 2

Assisted Solution

by:ScottGranado
ScottGranado earned 1200 total points
ID: 22664612
The record you have in place
"v=spf1 mx ~all"  should probaly be "v=spf1 mx -all"

The diffrence is that the tilde means that if it doesn't match then the server can still let the email pass.  With the minus you are saying.  If the sending server does not match one of my MX servers for my domain then you should drop it.  this is what the -all is for.
0
 

Author Comment

by:grhelm
ID: 22670781
ScottGranado,

I have updated the entry to "v=spf1 mx -all"  However, when I run the Microsoft test, I still get:
===================================================================================
No SPF Record Found. A and MX Records Available
No SPF record has been found for the domain xxxxx.com. However, MX and/or A records currently exist for this domain.
 
Addresses Listed in A records
xx.xx.xx.135
Mail Servers Listed in MX Records
smtp.xxxxx.com xx.xx.xx.157
 
This information may be of assistance in creating your new SPF record.
===================================================================================
Does adding/changing the SPF entry have an immediate affect or does it take some sort of action (or time) to implement the change?
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
LVL 2

Assisted Solution

by:ScottGranado
ScottGranado earned 1200 total points
ID: 22671299
Hey Grhelm,

a txt record such as a spf has TTL values associated as well.  this means that it does take time to propagate back out if you change the spf record and its cached.  The best bet is to try another spf checker that you've never used before, and therefore, will not have your query cached.  Try: http://old.openspf.org/wizard.html

Also, reviewing the error message you posted, it is actually saying there is no spf record.  not that the spf record is incorrect.  Make sure in DNS for your domain the SPF is  TXT record.  You can check this by going to http://iptools.com/ and putting in your domain in the DNS Lookup tool and choosing TXT from the drop down.
0
 

Author Comment

by:grhelm
ID: 22671430
ScottGranado,

When I go to http://old.openspf.org/wizard.html, the site is preloded with the domain of my ISP???

The second site gives me the folllowing reponse:
===================================================================================
; <<>> DiG 9.2.4 <<>> -t TXT grhelm.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57686
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;xxxxx.com. IN TXT

;; AUTHORITY SECTION:
xxxxx.com. 10800 IN SOA ns25.domaincontrol.com. dns.jomax.net. 2006090400 28800 7200 604800 86400

;; Query time: 53 msec
;; SERVER: 70.84.160.11#53(70.84.160.11)
;; WHEN: Wed Oct 8 11:08:29 2008
;; MSG SIZE rcvd: 96
===================================================================================
I have attached a screenshot of the SPF entry.



spf.JPG
0
 
LVL 2

Expert Comment

by:ScottGranado
ID: 22671547
yea it defintily doesn't look like your DNS server is sending out your TXT record:

This is what i get when i look up the txt record for grhelm.com:
> nslookup
> set type=txt
> grhelm.com
Server:  xxxxxxx
Address:  10.6.24.5

grhelm.com
        primary name server = ns25.domaincontrol.com
        responsible mail addr = dns.jomax.net
        serial  = 2006090400
        refresh = 28800 (8 hours)
        retry   = 7200 (2 hours)
        expire  = 604800 (7 days)
        default TTL = 86400 (1 day)

do you have a TXT record on your public facing authoritative dns server?
0
 

Author Comment

by:grhelm
ID: 22671573
What is a "public facing authoritative dns server"??

AI have a domin controller and that is where I have been putting this stuff...

Thanks.
0
 

Author Comment

by:grhelm
ID: 22671594
"All I have..."
0
 
LVL 2

Assisted Solution

by:ScottGranado
ScottGranado earned 1200 total points
ID: 22671611
is your domain controller handling the DNS for this domain?  is this server accessible from the net?  If the domain your having problems with is grhelm.com then the NS server is pointing to ns25.domaincontrol.com so you would have to modify the SPF record on this server.
0
 

Author Comment

by:grhelm
ID: 22671686
Hmm,

ns25.domaincontrol.com is at godaddy.com.

And it does look like they give me the option to set up a SPF record there...

I guess now  I need to figure out how to use their "wizard" to set this up....
0
 

Author Comment

by:grhelm
ID: 22671754
The wizard created this:

v=spf1 a mx include:xxxx.com -all  

(where xxxx.com is the ISP)
0
 
LVL 9

Assisted Solution

by:pablovr
pablovr earned 800 total points
ID: 22672600
Is I said at the beginning, you should be doing this at your ISP´s DNS.
0
 

Author Comment

by:grhelm
ID: 22673231
pablovr,

Okay, I'll give you that.

It looks like the one I created above is now visable, do I need to do the same thing for every domain name I have?
0
 
LVL 2

Expert Comment

by:ScottGranado
ID: 22673627
yes thats correct
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Know the reasons and solutions to move/import EDB to New Exchange Server. Also, find out how to recover an Exchange .edb file and to restore the file back.
The main intent of this article is to make you aware of ‘Exchange fail to mount’ error, its effects, causes, and solution.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question