How to create/update SPF in exchange 2003

A missing SPF will not stop you receiving mail but it might stop other people receiving your mail.

You need to ask whoever controls your external DNS to setup a TXT record.

To work out what needs to go in the TXT record run this wizard: http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/

The SPF record needs to be created in your public DNS zone. This is usually hosted by your ISP, or it could be hosted by your domain registry provider, just depends on how your domain was set up.  The type of record for SPF is "TXT," so if you have access to a control panel for your public DNS zone, you might be able to add it yourself, or you might have to contact your ISP/domain registry DNS support department.
SPF will help, but you also might want to check to be sure that there is a PTR (rDNS) record for your mail server as well.  The PTR record has to be placed on the DNS server of the provider that owns your block of IP addresses - this is usually your ISP.  You may find that you have a PTR record from your ISP, but that it points to a generic host name instead of your mail server host name. This will be find in most instances, but if you want to be sure it will work in all cases, you can request your ISP to change it so that it points to the exact public host name of your email server.
This will not, however, fix problems related to internal emails going to spam folders. What spam filtering software are you using?

Don't think the openspf one is working that's why I posted the Microsoft one.

I setup the SPF as a text record already. The PTR record exists and is correct. I am using symantec security for exchange server. SPF will (hopefully) solve the problem of some of our clients not receiving our emails, but why can't we receive some of our clients emails? Maybe two or three in total? I will email a test message to the clients whom we are unable to send mail to to see if it works now. Thanks for the speedy reply.

Are the people trying to send you messages receiving any NDR message?

I have yet to find out. It would help if they told me what error messages they are getting. I will post when I find out.

Here is one I just sent a test email to and got bounced back:
Your message did not reach some or all of the intended recipients.

      Subject:      test
      Sent:      12/18/2009 12:01 PM

The following recipient(s) could not be reached:

      'brownhouse@altrionet.com' on 12/18/2009 12:01 PM
            There was a SMTP communication problem with the recipient's email server.  Please contact your system administrator.
            <onyxarchitects.com #5.5.0 smtp;554 Sending address not accepted due to spam filter>

That's Symantec blocking it.
Set their domain name up in the whitelist.

No sorry that's their SPAM filter.
Ask them to add your domain name in as a whitelist domain.

It's not unusual, my domain gets blocked as SPAM sometimes.

@demazter - you're right about the OpenSPF link, I couldn't get the site to load either.
@sergenet - have you check to make sure your domain hasn't gotten on some blacklist somewhere? It might be worthwhile just to check to be sure. There are some blacklists out there that list dynamic IP addresses that actually aren't dynamic any more, and you could be caught by one of them. Here's one on-line source for checking (there are others, too):
www.mxtoolbox.com/blacklists.aspx 
 

Also your lack of SPF record will cause you to be treated as SPAM.
It can take 24 hours or so for this to run through the internet.  So if you have only just created it I would hold fire for a while.

I have checked for blacklisting several times and all are ok except these that time out.
CSMA  TIMEOUT ERROR, Reponse code=2   0
DUINV  TIMEOUT ERROR, Reponse code=2   0
ORVEDB  TIMEOUT ERROR, Reponse code=2   0
RSBL  TIMEOUT ERROR, Reponse code=2   0
Spamhaus-ZEN  TIMEOUT   0
SPAMRBL  TIMEOUT ERROR, Reponse code=2   0
 Also we used a dynamic ip for about a month while we were moving and then were assigned a static ip again. Since then we have been having problems.

It will take time for your SPF record to go through.
Also check with your ISP you do actually have a static address.

Also find out if they have a smart relay you could use instead of using DNS?

I will leave this question open for 24 hours to give time for the SPF to work itself through the network. Will post again Monday to see if all is well. Thanks.

Still no SPF showing when I do a lookup. I did a port lookup and the following is showing:
3 open ports:

  25 smtp Success 62 ms
  80 http Success 62 ms
  443 https Success 62 ms

These ports were closed:

  21 ftp Timeout 0 ms
  22 ssh Timeout 0 ms
  23 telnet Timeout 0 ms
  53 dns Timeout 0 ms
  110 pop3 Timeout 0 ms
  143 imap No connection could be made because the target machine actively refused it 69.199.57.100:143 0 ms
  139 netbios Timeout 0 ms
  389 ldap Timeout 0 ms
  587 msa-outlook Timeout 0 ms
  1433 sql server Timeout 0 ms
  3306 my sql Timeout 0 ms
  3389 remote desktop Timeout 0 ms
  8080 webcache Timeout 0 ms

Is this normal?

That looks fine.

However if the SPF is not showing you need to get on to whoever controls your external DNS and find out why it's not sticking.

I will call them right now.

The name servers were pointing to the wrong place and now that I corrected them, the SPF is coming out ok. I will resend a test message to the clients whom we are not able to reach and see if it works now. I will post as soon as I know the status of the sent emails.

I sent a test email to 3 clients and all three are sitting in the exchange queue.
1 to adelphia.net
1 to cox.net
1 to juno.com

SPAM/Virus software on your server?
Can you uninstall it.

I use symantec mail security for exchange

Can you uninstall it and see if the queues empty?
It's not unusual for Symantec to do this!

ok, I will uninstall.

I uninstalled it and forced the connection on the emails in queue but still nothing. They are waiting for retry.

How is your DNS configured?
Is the Exchange Server pointing to a valid Windows DNS server?

The DNS is ok. All mail works fine except for those clients.

can you ping those domains from your exchange server?

yes all three ping with no problem. I am going to lunch and will be back as soon as I get something to eat. thanks.

I talked to cox.net and they said our domain is not blocked or black-listed. I sent them an email "support@cox.net" and they received it and replied back. so why would I not be able to email someone else at cox.net? Any ideas?

If the address was invalid.

Check with them that the actual email address is correct.

The address is correct. I gave it to him to check against their servers. My email went to him and his reply came to me.

I mean the ones in the queue that are not going though.

If one recipient on that domain is able to receive your mail than that would suggest there was a problem with the other recipients.

We emailed him from a yahoo account and it works. So his address is correct. Only from our domain we are not able to email him. There must be something wrong at my end.

Goto http://www.mxtoolbox.com and enter the domain your having problems with.
This will tell you the MX record of the company your having problens with then follow this guide to send an email to the user your trying to send to: http://support.microsoft.com/kb/153119

does it go through sucessfully?

I tried to telnet to cox.net and got the following error:
554   fed1rmimpi06.cox.net   IMP 69.199.57.98 rejected - no rDNS - refer to error codes

Our mail server ip is 69.199.57.100 and not .98 which is what is coming back from cox.net. I tried calling now for hours and all I get is the run around and no one has been able to help me. I need them to flush their DNS so the correct  numbers are coming up.

Just checked and you rDNS is definately coming up with 69.199.57.100
So it's definatelt not your problem.

Yes, you are right. I telneted all three of the others that we are having problems with and all report our server with the wrong ip, .98 instead of .100
Contacting them is worse than trying to call the president.

at least you know where the problem lies.
Interestingly though the IP address reported should be the one you connect with.

If you goto http://whatsmyip.org what does it say your IP is?

It shows it as: Your IP Address is 69.199.57.98  
Ah ha! the ip should be .100
 
 

I fixed the ip issue. Let us see if we can telnet those domains without a problem. The problem has been resolved. Thank you demazter for all the help.