Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.
Solved
help with SPF record please
Posted on 2011-03-07
I am trying to help a client of my set up an SPF record for his domain. He has the need to authenticate mail from three locations
1. his domain whistlerreservations.com which is set up with google apps mail
2. Via a third party booking engine that sends mail from the domain rezserve.com
3. Via campaign monitor (cmail1.com) which is an email distribution system.
This is the following SPF that I created
v=spf1 a mx include:rezserve.com include:cmail1.com include:_spf.google.com ~all
I set this up but when I try and verify with http://www.kitterman.com/spf/validate.html i get the following
Results - PermError SPF Permanent Error: No valid SPF record for included domain: rezserve.com: include:rezserve.com
and any messages sent from rezserve.com on whistlerreservations.com behalf end up in my gmail spam folder
Can somebody please verify this is correct?
Does rezserve.com also have to publish an spf record? and if show what is it that they need to set?
I hacked this together from various sources
1) google apps help - google.com/support/a/bin/a
which says to set the following v=spf1 include:_spf.google.com ~all
2) Campaingmonitor help -help.campaignmonitor.com/
Which says to set - v=spf1 mx include:cmail1.com ~all
Below is the mail header from one of the messages sent from resserve.com
Delivered-To: jac@whistlerwebandprint.co
Received: by 10.231.30.196 with SMTP id v4cs105047ibc;
Mon, 28 Feb 2011 13:54:38 -0800 (PST)
Received: by 10.227.156.207 with SMTP id y15mr5389341wbw.38.1298930
Mon, 28 Feb 2011 13:54:37 -0800 (PST)
Return-Path: <reservations@whistlerrese
Received: from rezserve.com ([204.14.93.102])
by mx.google.com with ESMTPS id p44si7256090wej.197.2011.0
(version=TLSv1/SSLv3 cipher=OTHER);
Mon, 28 Feb 2011 13:54:36 -0800 (PST)
Received-SPF: neutral (google.com: 204.14.93.102 is neither permitted nor denied by best guess record for domain of reservations@whistlerreser
client-ip=204.14.93.102;
Authentication-Results: mx.google.com; spf=neutral (google.com: 204.14.93.102 is neither permitted nor denied by best guess record for domain of
reservations@whistlerreser
Received: from rezserve.com (localhost.localdomain [127.0.0.1])
by rezserve.com (8.13.1/8.13.1) with ESMTP id p1SLsT8X032018
for <jac@whistlerwebandprint.c
Received: (from apache@localhost)
by rezserve.com (8.13.1/8.13.1/Submit) id p1SLsTll032016;
Mon, 28 Feb 2011 16:54:29 -0500
Date: Mon, 28 Feb 2011 16:54:29
1. his domain whistlerreservations.com which is set up with google apps mail
2. Via a third party booking engine that sends mail from the domain rezserve.com
3. Via campaign monitor (cmail1.com) which is an email distribution system.
This is the following SPF that I created
v=spf1 a mx include:rezserve.com include:cmail1.com include:_spf.google.com ~all
I set this up but when I try and verify with http://www.kitterman.com/spf/validate.html i get the following
Results - PermError SPF Permanent Error: No valid SPF record for included domain: rezserve.com: include:rezserve.com
and any messages sent from rezserve.com on whistlerreservations.com behalf end up in my gmail spam folder
Can somebody please verify this is correct?
Does rezserve.com also have to publish an spf record? and if show what is it that they need to set?
I hacked this together from various sources
1) google apps help - google.com/support/a/bin/a
which says to set the following v=spf1 include:_spf.google.com ~all
2) Campaingmonitor help -help.campaignmonitor.com/
Which says to set - v=spf1 mx include:cmail1.com ~all
Below is the mail header from one of the messages sent from resserve.com
Delivered-To: jac@whistlerwebandprint.co
Received: by 10.231.30.196 with SMTP id v4cs105047ibc;
Mon, 28 Feb 2011 13:54:38 -0800 (PST)
Received: by 10.227.156.207 with SMTP id y15mr5389341wbw.38.1298930
Mon, 28 Feb 2011 13:54:37 -0800 (PST)
Return-Path: <reservations@whistlerrese
Received: from rezserve.com ([204.14.93.102])
by mx.google.com with ESMTPS id p44si7256090wej.197.2011.0
(version=TLSv1/SSLv3 cipher=OTHER);
Mon, 28 Feb 2011 13:54:36 -0800 (PST)
Received-SPF: neutral (google.com: 204.14.93.102 is neither permitted nor denied by best guess record for domain of reservations@whistlerreser
client-ip=204.14.93.102;
Authentication-Results: mx.google.com; spf=neutral (google.com: 204.14.93.102 is neither permitted nor denied by best guess record for domain of
reservations@whistlerreser
Received: from rezserve.com (localhost.localdomain [127.0.0.1])
by rezserve.com (8.13.1/8.13.1) with ESMTP id p1SLsT8X032018
for <jac@whistlerwebandprint.c
Received: (from apache@localhost)
by rezserve.com (8.13.1/8.13.1/Submit) id p1SLsTll032016;
Mon, 28 Feb 2011 16:54:29 -0500
Date: Mon, 28 Feb 2011 16:54:29
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
3-
2
5 Comments
The SPF record should be put in the rezserve.com DNS zone.
Since it is in that zone, you don't need the 'include:rezserve.com' entry, so you can delete that portion:
rezserve.com. IN TXT "v=spf1 a mx include:cmail1.com include:_spf.google.com ~all"
Once I removed that part it passed the syntax test. You can also use a wizard to make your SPF entry:
http://old.openspf.org/wiz
Since it is in that zone, you don't need the 'include:rezserve.com' entry, so you can delete that portion:
rezserve.com. IN TXT "v=spf1 a mx include:cmail1.com include:_spf.google.com ~all"
Once I removed that part it passed the syntax test. You can also use a wizard to make your SPF entry:
http://old.openspf.org/wiz
Thanks for your quick comment.
I am sorry I am a bit new to this and as such am confused
Don't I need to add the SPF to my clients domain's DNS which is http://www.whistlerreservations.com/?
it's that domain that sends mail out through google apps
cmail1.com is a 3rd party newsletter server and rezserve.com is another thrid party booking widget that both send out email from their 3rd party servers on behalf of whistlerreservations.com
From what I got out of my research i need to create the SPF on my clients DNS and sounds like rezserve.com should have some sort of SFP in place as well. Am I completely confused here?
also I re-ran the test with the adjusted string you supplied and the out put was
The result of the test (this should be the default result of your record) was, ambiguous . The explanation returned was, SPF Ambiguity Warning: No A records found for: http://www.whistlerreservations.com
Should I be concerned about the SPF ambifuity warning?
I am sorry I am a bit new to this and as such am confused
Don't I need to add the SPF to my clients domain's DNS which is http://www.whistlerreservations.com/?
it's that domain that sends mail out through google apps
cmail1.com is a 3rd party newsletter server and rezserve.com is another thrid party booking widget that both send out email from their 3rd party servers on behalf of whistlerreservations.com
From what I got out of my research i need to create the SPF on my clients DNS and sounds like rezserve.com should have some sort of SFP in place as well. Am I completely confused here?
also I re-ran the test with the adjusted string you supplied and the out put was
The result of the test (this should be the default result of your record) was, ambiguous . The explanation returned was, SPF Ambiguity Warning: No A records found for: http://www.whistlerreservations.com
Should I be concerned about the SPF ambifuity warning?
Ah, OK. You COULD add:
whistlerreservations.com. IN TXT "v=spf1 a mx include:_spf.google.com include:rezserve.com include:cmail1.com ~all"
to your whistlerreservations.com zone. It will fail though as it will include all SPFs from cmail1.com, _spf.google.com and rezserve.com. The problem is that rezserve.com does not yet have an SPF record.
To avoid creating a SPF in rezserve.com you use this record in the whistlerreservations.com zone:
whistlerreservations.com. IN TXT "v=spf1 a mx mx:rezserve.com include:_spf.google.com include:cmail1.com ~all"
Instead of the include, we set it to allow from rezserve.com MX record addresses.
whistlerreservations.com. IN TXT "v=spf1 a mx include:_spf.google.com include:rezserve.com include:cmail1.com ~all"
to your whistlerreservations.com zone. It will fail though as it will include all SPFs from cmail1.com, _spf.google.com and rezserve.com. The problem is that rezserve.com does not yet have an SPF record.
To avoid creating a SPF in rezserve.com you use this record in the whistlerreservations.com zone:
whistlerreservations.com. IN TXT "v=spf1 a mx mx:rezserve.com include:_spf.google.com include:cmail1.com ~all"
Instead of the include, we set it to allow from rezserve.com MX record addresses.
awsome thanks.... I could ask rezserve.com to create an spf record if I did that what should I ask them to create? and is there any advantage to doing that over just using there MX records as you have proposed?
The only real advantage would be if they changed their SPF records from time to time, or they include domains they send mail from that you don't know about. For example, the Google include contains the following domains:
alt1.aspmx.l.google.com, gy-in-f27.1e100.net, aspmx5.googlemail.com, bw-in-f27.1e100.net, aspmx2.googlemail.com, iw-in-f27.1e100.net, aspmx.l.google.com, pv-in-f27.1e100.net, aspmx3.googlemail.com, aspmx4.googlemail.com, ww-in-f27.1e100.net, qw-in-f27.1e100.net, alt2.aspmx.l.google.com
1e100.net and googlemail.com are included for you even though it was not in your SPF definition. For all intents and purposes, the mx:rezserve.com entry should be just fine. You could always change it later if they add an SPF record.
alt1.aspmx.l.google.com, gy-in-f27.1e100.net, aspmx5.googlemail.com, bw-in-f27.1e100.net, aspmx2.googlemail.com, iw-in-f27.1e100.net, aspmx.l.google.com, pv-in-f27.1e100.net, aspmx3.googlemail.com, aspmx4.googlemail.com, ww-in-f27.1e100.net, qw-in-f27.1e100.net, alt2.aspmx.l.google.com
1e100.net and googlemail.com are included for you even though it was not in your SPF definition. For all intents and purposes, the mx:rezserve.com entry should be just fine. You could always change it later if they add an SPF record.
Featured Post
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Resolve DNS query failed errors for Exchange
- Exchange
- DNS
- Outlook
- Windows Server 2012
- Active Directory
- Windows Networking, Email Servers
Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.
Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
Familiarize people with the process of utilizing SQL Server views from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Microsoft Access…
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center.
Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center.
Navigate to the Recipients >> Mailb…
Suggested Courses
Course of the Month11 days, 15 hours left to enroll
636 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.