?
Solved

How to create/update SPF in exchange 2003

Posted on 2009-12-18
42
Medium Priority
?
562 Views
Last Modified: 2012-06-27
Some clients cannot email us, we cannot email some clients, some internal emails go to spam folders, and some spam go to inbox folders. I checked for SPF and it does not exist. How do I create one and where is it supposed to be located?
0
Comment
Question by:sergenet
  • 21
  • 18
  • 3
42 Comments
 
LVL 74

Expert Comment

by:Glen Knight
ID: 26082824
A missing SPF will not stop you receiving mail but it might stop other people receiving your mail.

You need to ask whoever controls your external DNS to setup a TXT record.

To work out what needs to go in the TXT record run this wizard: http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 26083272
The SPF record needs to be created in your public DNS zone. This is usually hosted by your ISP, or it could be hosted by your domain registry provider, just depends on how your domain was set up.  The type of record for SPF is "TXT," so if you have access to a control panel for your public DNS zone, you might be able to add it yourself, or you might have to contact your ISP/domain registry DNS support department.
SPF will help, but you also might want to check to be sure that there is a PTR (rDNS) record for your mail server as well.  The PTR record has to be placed on the DNS server of the provider that owns your block of IP addresses - this is usually your ISP.  You may find that you have a PTR record from your ISP, but that it points to a generic host name instead of your mail server host name. This will be find in most instances, but if you want to be sure it will work in all cases, you can request your ISP to change it so that it points to the exact public host name of your email server.
This will not, however, fix problems related to internal emails going to spam folders. What spam filtering software are you using?
0
 
LVL 38

Assisted Solution

by:Hypercat (Deb)
Hypercat (Deb) earned 400 total points
ID: 26083279
Also, here is another source for a wizard on how to set up an SPF record:
http://www.openspf.org/ 
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 74

Expert Comment

by:Glen Knight
ID: 26083286
Don't think the openspf one is working that's why I posted the Microsoft one.
0
 

Author Comment

by:sergenet
ID: 26083400
I setup the SPF as a text record already. The PTR record exists and is correct. I am using symantec security for exchange server. SPF will (hopefully) solve the problem of some of our clients not receiving our emails, but why can't we receive some of our clients emails? Maybe two or three in total? I will email a test message to the clients whom we are unable to send mail to to see if it works now. Thanks for the speedy reply.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 26083436
Are the people trying to send you messages receiving any NDR message?
0
 

Author Comment

by:sergenet
ID: 26083460
I have yet to find out. It would help if they told me what error messages they are getting. I will post when I find out.
0
 

Author Comment

by:sergenet
ID: 26083517
Here is one I just sent a test email to and got bounced back:
Your message did not reach some or all of the intended recipients.

      Subject:      test
      Sent:      12/18/2009 12:01 PM

The following recipient(s) could not be reached:

      'brownhouse@altrionet.com' on 12/18/2009 12:01 PM
            There was a SMTP communication problem with the recipient's email server.  Please contact your system administrator.
            <onyxarchitects.com #5.5.0 smtp;554 Sending address not accepted due to spam filter>
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 26083524
That's Symantec blocking it.
Set their domain name up in the whitelist.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 26083527
No sorry that's their SPAM filter.
Ask them to add your domain name in as a whitelist domain.

It's not unusual, my domain gets blocked as SPAM sometimes.
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 26083674
@demazter - you're right about the OpenSPF link, I couldn't get the site to load either.
@sergenet - have you check to make sure your domain hasn't gotten on some blacklist somewhere? It might be worthwhile just to check to be sure. There are some blacklists out there that list dynamic IP addresses that actually aren't dynamic any more, and you could be caught by one of them. Here's one on-line source for checking (there are others, too):
www.mxtoolbox.com/blacklists.aspx 
 
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 26083718
Also your lack of SPF record will cause you to be treated as SPAM.
It can take 24 hours or so for this to run through the internet.  So if you have only just created it I would hold fire for a while.
0
 

Author Comment

by:sergenet
ID: 26084034
I have checked for blacklisting several times and all are ok except these that time out.
CSMA  TIMEOUT ERROR, Reponse code=2   0
DUINV  TIMEOUT ERROR, Reponse code=2   0
ORVEDB  TIMEOUT ERROR, Reponse code=2   0
RSBL  TIMEOUT ERROR, Reponse code=2   0
Spamhaus-ZEN  TIMEOUT   0
SPAMRBL  TIMEOUT ERROR, Reponse code=2   0
 Also we used a dynamic ip for about a month while we were moving and then were assigned a static ip again. Since then we have been having problems.

0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 26084064
It will take time for your SPF record to go through.
Also check with your ISP you do actually have a static address.

Also find out if they have a smart relay you could use instead of using DNS?
0
 

Author Comment

by:sergenet
ID: 26084412
I will leave this question open for 24 hours to give time for the SPF to work itself through the network. Will post again Monday to see if all is well. Thanks.
0
 

Author Comment

by:sergenet
ID: 26097256
Still no SPF showing when I do a lookup. I did a port lookup and the following is showing:
3 open ports:

  25 smtp Success 62 ms
  80 http Success 62 ms
  443 https Success 62 ms

These ports were closed:

  21 ftp Timeout 0 ms
  22 ssh Timeout 0 ms
  23 telnet Timeout 0 ms
  53 dns Timeout 0 ms
  110 pop3 Timeout 0 ms
  143 imap No connection could be made because the target machine actively refused it 69.199.57.100:143 0 ms
  139 netbios Timeout 0 ms
  389 ldap Timeout 0 ms
  587 msa-outlook Timeout 0 ms
  1433 sql server Timeout 0 ms
  3306 my sql Timeout 0 ms
  3389 remote desktop Timeout 0 ms
  8080 webcache Timeout 0 ms

Is this normal?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 26097275
That looks fine.

However if the SPF is not showing you need to get on to whoever controls your external DNS and find out why it's not sticking.
0
 

Author Comment

by:sergenet
ID: 26097402
I will call them right now.
0
 

Author Comment

by:sergenet
ID: 26097768
The name servers were pointing to the wrong place and now that I corrected them, the SPF is coming out ok. I will resend a test message to the clients whom we are not able to reach and see if it works now. I will post as soon as I know the status of the sent emails.
0
 

Author Comment

by:sergenet
ID: 26097924
I sent a test email to 3 clients and all three are sitting in the exchange queue.
1 to adelphia.net
1 to cox.net
1 to juno.com
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 26097939
SPAM/Virus software on your server?
Can you uninstall it.
0
 

Author Comment

by:sergenet
ID: 26098437
I use symantec mail security for exchange
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 26098456
Can you uninstall it and see if the queues empty?
It's not unusual for Symantec to do this!
0
 

Author Comment

by:sergenet
ID: 26098490
ok, I will uninstall.
0
 

Author Comment

by:sergenet
ID: 26098655
I uninstalled it and forced the connection on the emails in queue but still nothing. They are waiting for retry.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 26098672
How is your DNS configured?
Is the Exchange Server pointing to a valid Windows DNS server?
0
 

Author Comment

by:sergenet
ID: 26098712
The DNS is ok. All mail works fine except for those clients.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 26098717
can you ping those domains from your exchange server?
0
 

Author Comment

by:sergenet
ID: 26099147
yes all three ping with no problem. I am going to lunch and will be back as soon as I get something to eat. thanks.
0
 

Author Comment

by:sergenet
ID: 26099862
I talked to cox.net and they said our domain is not blocked or black-listed. I sent them an email "support@cox.net" and they received it and replied back. so why would I not be able to email someone else at cox.net? Any ideas?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 26099918
If the address was invalid.

Check with them that the actual email address is correct.
0
 

Author Comment

by:sergenet
ID: 26099940
The address is correct. I gave it to him to check against their servers. My email went to him and his reply came to me.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 26099972
I mean the ones in the queue that are not going though.

If one recipient on that domain is able to receive your mail than that would suggest there was a problem with the other recipients.
0
 

Author Comment

by:sergenet
ID: 26100387
We emailed him from a yahoo account and it works. So his address is correct. Only from our domain we are not able to email him. There must be something wrong at my end.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 26102672
Goto http://www.mxtoolbox.com and enter the domain your having problems with.
This will tell you the MX record of the company your having problens with then follow this guide to send an email to the user your trying to send to: http://support.microsoft.com/kb/153119

does it go through sucessfully?
0
 

Author Comment

by:sergenet
ID: 26107062
I tried to telnet to cox.net and got the following error:
554   fed1rmimpi06.cox.net   IMP 69.199.57.98 rejected - no rDNS - refer to error codes

Our mail server ip is 69.199.57.100 and not .98 which is what is coming back from cox.net. I tried calling now for hours and all I get is the run around and no one has been able to help me. I need them to flush their DNS so the correct  numbers are coming up.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 26107119
Just checked and you rDNS is definately coming up with 69.199.57.100
So it's definatelt not your problem.

0
 

Author Comment

by:sergenet
ID: 26107210
Yes, you are right. I telneted all three of the others that we are having problems with and all report our server with the wrong ip, .98 instead of .100
Contacting them is worse than trying to call the president.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 26107252
at least you know where the problem lies.
Interestingly though the IP address reported should be the one you connect with.

If you goto http://whatsmyip.org what does it say your IP is?
0
 

Author Comment

by:sergenet
ID: 26107812
It shows it as: Your IP Address is 69.199.57.98  
Ah ha! the ip should be .100
 
 
0
 
LVL 74

Accepted Solution

by:
Glen Knight earned 1600 total points
ID: 26107917
Then you need to get on to your ISP and find out what's going on.

You will probably end up changing all your records to the current IP rather than changing your IP address.
0
 

Author Comment

by:sergenet
ID: 26107961
I fixed the ip issue. Let us see if we can telnet those domains without a problem. The problem has been resolved. Thank you demazter for all the help.
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
If something goes wrong with Exchange, your IT resources are in trouble.All Exchange server migration processes are not designed to be identical and though migrating email from on-premises Exchange mailbox to Cloud’s Office 365 is relatively simple…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question