• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3015
  • Last Modified:

is this enough for a SPF record?

I use mxlogic as my email washing service and as a SmartHost. From time to time, we get a fail on SPF lookups and a sent email gets rejected back to us.  Our current  record is
"v=spf1 +a +mx ~all", where if I interpret this correctly, means
-the sending server must have RPTR
-Be in the MX record
-soft fail otherwise.

and I  want to change that to

"v=spf1  include:mxlogic.net  ~all" meaning:
-include mxlogic.net as valid sender of email for said domain.

Is this right?

found this article to be fairly clear, but I was hoping to get some realworld opinions on it before I hit "go".

just in case it matters, Exchange 2010 is our server
2 Solutions
Your current SPF record will pass as long as the sending server has a host or MX record in your domain and will softfail otherwise.  Your proposed SPF record basically says to check mxlogic.net's SPF record, and if the sending server passes there, it will pass (and once again, softfail otherwise).
Chris DentPowerShell DeveloperCommented:

> -the sending server must have RPTR


It means the sending server can match the A record attached to "domain.com" where "domain.com" is the zone the SPF record resides in.

The sending server must match one or more of the terms in the SPF to pass the test.

> -include mxlogic.net as valid sender of email for said domain.

It includes the SPF record of mxlogic.net in your own. If there's no SPF it'll do nothing, or if the SPF record does not include the sending server it'll fail.

At the moment they have these in their SPF:

ip4: ip4: ip4: ptr:mxlogic.net

Using Include will effectively add all of those to your own SPF.

Whether that's right or not depends on MXLogic, I assume they have documentation about this?

tsaicoAuthor Commented:
They do, have documentation, but it says "add mxlogic to the spf record, talk to your admin for more information", without providing much detail.  I just want to make sure I understand how SPF works since this is my first entry.  While this looks like it would work, I think I understand HOW spf works and what these little tags and arguments mean.

Thanks guys, since MX Logic is the only place my send connectors send to (smarthost), I will send this to my dns.
Chris DentPowerShell DeveloperCommented:
It does look right, and it does agree with their sparse documentation :)

Are you sending your outbound email through this service too?

The SPF record is supposed to have the Servers that are allow to send email from your domain. If you send outbound email through it, then it must be in the SPF. IF your Exchange Server deliver directly then it needs to be in the SPF like this: v=spf1 a:<exchange.domain.com> ~all
IF you send Email out via the mxlogic.net servers, then you'll likely need to use the same SPF that mxlogic.net uses: v=spf1 ip4: ip4: ip4: ptr:mxlogic.net ~all Or just v=spf1 ptr:mxlogic.net ~all, this is really a question yout need to ask mxlogic.net, if they are resposible for your outbound email.

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now