How to setup exchange spf under these conditions?

Posted on 2011-09-12
Last Modified: 2012-08-13
I have a customer using exchange 2003 within SBS2003 in a server using a fixed IP address. They have 3 .org domains that can receive mail.  They have a website but it is not hosted by the same server, but on a totally different address, with all A records pointing to the website address.  All mail delivered to the .org domain names is filtered by a third party (AppRiver) which does the filtering by the following method: the exchange server is given several AppRiver IP addresses as the exclusive sources of any email. The MX records (2) are setup to transfer mail to AppRiver forany of the .org domain names.  AppRiver sends filtered mail then to the fixed IP address of the exchange server.  This all works very well.
The problem and question is this:  Some important contacts mailservers are rejecting email sent from the exchange server due to spf test failure.  Can anyone provide a step-by-step method to add spf to this server?   For expediancy, I am not accepting references to websites or books as a solution, I already am aware of them.
Question by:vaayuratha
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 11

Expert Comment

ID: 36522240
The only question you need to answer is HOW do receiving mail servers see the sending server - do they see the IP address of your SBS server (port 25), or do you send your mail directly to a Smart Host ?

Please advise whether you are using the default SMTP VS to send mail, or if you have an SMTP connector to do this ? Subsequently, please advise if you are sending using your own DNS servers (i.e. you resolve the external MX records directly on your own DNS servers), or if you are sending mail to a Smart Host.

If, the former, YOU must create and publish your own SPF record, if the latter, you must ask the ISP which hosts the Smart Host to create the SPF record to point back to whatever your sending SMTP server resolves to for external mail servers.

I hope that is straightforward enough for you to act upon.
LVL 58

Accepted Solution

Cliff Galiher earned 500 total points
ID: 36522262
You do not add SPF records to your server (usually.) you add them to your public DNS host and the record REFERENCES your server.

Also, to be 100% honest, you want a step by step, but don't want to follow any otpf the step by step instructions already published on the web. That is asking us to reinvent the wheel. This is LESS expedient, not moreso. And you haven't provided the necessary level of detail to get a thorough step by step, but more of an overview. So, while I attempt to do so below, realize I am confined by the information you chose to provide and chose not to.

1) log into your public DNS provider. This may be your domain name registrar, your website host, a 3rd party, or in rare cases a server on your network, all depending on how you previously set up DNS for your domain name.

2) create a new TXT record.

3) create SPF text based on servers allowed to SEND on your domain's behalf. Several tools exist to do this, such as this one:

4) paste the SPF text into the TXT record.

5) test your new LIVE record for syntax errors and that is providesnthe expected info, tools exist to do so.

Done. SPF should now be live for your domain.
LVL 58

Expert Comment

by:Cliff Galiher
ID: 36522279
@thegeezer: SPF works based on a lookup of the domain in the senders FROM address, so even with a smarthost setup, it is far mor common that DNS needs to be handled by the domain owner, notnthe ISP. A smarthost doesn't significantly change how SPF works or how lookups occur. Just an FYI.

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

LVL 22

Expert Comment

ID: 36522347
Without more info I will post this as a guess.

Your DNS TXT record should be this

"v=spf1 ip4: mx -all"

substitute your static IP address (your Exchange public IP address) in the above ip4: part

mx is for allowing the mail servers in your mx records to be able to send mail also.

If only your Exchange server is sending mail for your domains then you can remove the mx if you like

put that TXT record into the zone for each of your domains DNS server

LVL 11

Expert Comment

ID: 36522524
@cliff - having worked for many years with Microsoft customers, one of the regularly encountered issues is that ISPs which are used as Smart Hosts, host all records including A records for the end user organizations - hence problems with them not having )or having incorrect) PTR records which fail on reverse lookup. In these cases the ISP would also need to host the SPF records.

All the end user does is pass ALL of their mail to one or more IP addresses - the ISP then forwards the mail and they hold the Public A and PTR records which point to THEIR OWN servers. I think you will see that in this case, the SPF records would need to be published via their DNS servers ?
LVL 58

Expert Comment

by:Cliff Galiher
ID: 36522550
PTR records and SPF records are unrelated. Thus an A record fir an ISPs smarthost is also unrelated. It is all about the domain name of the sender's address. In done cases the ISP foes control that DNS as well, but these are also places where you often see POP3 still being used and in such instances, SPF is the least of an admin's problems.

So, possible? Yes. Likely? Not very likely at all.

LVL 11

Expert Comment

ID: 36522673
I am aware they are technically unrelated, the point I was making is that in many cases, the ISP which is responsible for the A and PTR records is ultimately responsible for ALL DNS issues for the domain. These are hardly unusual. As an example, from a reputable source here please see GFI's response

The proof in this case is whether the ISP is responsible for the case here or not, so lets see. Ultimately, if what you have said resolves or what i have said resolves it is immaterial to me, the important thing is that it is resolved.

Author Closing Comment

ID: 36523307
over the span of a couple hours, several people gave definitive answers.  I thank everyone for contributing.  I am closing this and awarding to the first complete answer
LVL 11

Expert Comment

ID: 36523470
Glad you got it sorted

Featured Post

Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
This article will help to fix the below errors for MS Exchange Server 2013 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
This video discusses moving either the default database or any database to a new volume.

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question