How to setup exchange spf under these conditions?

Posted on 2011-09-12
Last Modified: 2012-08-13
I have a customer using exchange 2003 within SBS2003 in a server using a fixed IP address. They have 3 .org domains that can receive mail.  They have a website but it is not hosted by the same server, but on a totally different address, with all A records pointing to the website address.  All mail delivered to the .org domain names is filtered by a third party (AppRiver) which does the filtering by the following method: the exchange server is given several AppRiver IP addresses as the exclusive sources of any email. The MX records (2) are setup to transfer mail to AppRiver forany of the .org domain names.  AppRiver sends filtered mail then to the fixed IP address of the exchange server.  This all works very well.
The problem and question is this:  Some important contacts mailservers are rejecting email sent from the exchange server due to spf test failure.  Can anyone provide a step-by-step method to add spf to this server?   For expediancy, I am not accepting references to websites or books as a solution, I already am aware of them.
Question by:vaayuratha
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 11

Expert Comment

ID: 36522240
The only question you need to answer is HOW do receiving mail servers see the sending server - do they see the IP address of your SBS server (port 25), or do you send your mail directly to a Smart Host ?

Please advise whether you are using the default SMTP VS to send mail, or if you have an SMTP connector to do this ? Subsequently, please advise if you are sending using your own DNS servers (i.e. you resolve the external MX records directly on your own DNS servers), or if you are sending mail to a Smart Host.

If, the former, YOU must create and publish your own SPF record, if the latter, you must ask the ISP which hosts the Smart Host to create the SPF record to point back to whatever your sending SMTP server resolves to for external mail servers.

I hope that is straightforward enough for you to act upon.
LVL 58

Accepted Solution

Cliff Galiher earned 500 total points
ID: 36522262
You do not add SPF records to your server (usually.) you add them to your public DNS host and the record REFERENCES your server.

Also, to be 100% honest, you want a step by step, but don't want to follow any otpf the step by step instructions already published on the web. That is asking us to reinvent the wheel. This is LESS expedient, not moreso. And you haven't provided the necessary level of detail to get a thorough step by step, but more of an overview. So, while I attempt to do so below, realize I am confined by the information you chose to provide and chose not to.

1) log into your public DNS provider. This may be your domain name registrar, your website host, a 3rd party, or in rare cases a server on your network, all depending on how you previously set up DNS for your domain name.

2) create a new TXT record.

3) create SPF text based on servers allowed to SEND on your domain's behalf. Several tools exist to do this, such as this one:

4) paste the SPF text into the TXT record.

5) test your new LIVE record for syntax errors and that is providesnthe expected info, tools exist to do so.

Done. SPF should now be live for your domain.
LVL 58

Expert Comment

by:Cliff Galiher
ID: 36522279
@thegeezer: SPF works based on a lookup of the domain in the senders FROM address, so even with a smarthost setup, it is far mor common that DNS needs to be handled by the domain owner, notnthe ISP. A smarthost doesn't significantly change how SPF works or how lookups occur. Just an FYI.

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 22

Expert Comment

ID: 36522347
Without more info I will post this as a guess.

Your DNS TXT record should be this

"v=spf1 ip4: mx -all"

substitute your static IP address (your Exchange public IP address) in the above ip4: part

mx is for allowing the mail servers in your mx records to be able to send mail also.

If only your Exchange server is sending mail for your domains then you can remove the mx if you like

put that TXT record into the zone for each of your domains DNS server

LVL 11

Expert Comment

ID: 36522524
@cliff - having worked for many years with Microsoft customers, one of the regularly encountered issues is that ISPs which are used as Smart Hosts, host all records including A records for the end user organizations - hence problems with them not having )or having incorrect) PTR records which fail on reverse lookup. In these cases the ISP would also need to host the SPF records.

All the end user does is pass ALL of their mail to one or more IP addresses - the ISP then forwards the mail and they hold the Public A and PTR records which point to THEIR OWN servers. I think you will see that in this case, the SPF records would need to be published via their DNS servers ?
LVL 58

Expert Comment

by:Cliff Galiher
ID: 36522550
PTR records and SPF records are unrelated. Thus an A record fir an ISPs smarthost is also unrelated. It is all about the domain name of the sender's address. In done cases the ISP foes control that DNS as well, but these are also places where you often see POP3 still being used and in such instances, SPF is the least of an admin's problems.

So, possible? Yes. Likely? Not very likely at all.

LVL 11

Expert Comment

ID: 36522673
I am aware they are technically unrelated, the point I was making is that in many cases, the ISP which is responsible for the A and PTR records is ultimately responsible for ALL DNS issues for the domain. These are hardly unusual. As an example, from a reputable source here please see GFI's response

The proof in this case is whether the ISP is responsible for the case here or not, so lets see. Ultimately, if what you have said resolves or what i have said resolves it is immaterial to me, the important thing is that it is resolved.

Author Closing Comment

ID: 36523307
over the span of a couple hours, several people gave definitive answers.  I thank everyone for contributing.  I am closing this and awarding to the first complete answer
LVL 11

Expert Comment

ID: 36523470
Glad you got it sorted

Featured Post

Free Webinar: AWS Backup & DR

Join our upcoming webinar with experts from AWS, CloudBerry Lab, and the Town of Edgartown IT to discuss best practices for simplifying online backup management and cutting costs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question