Solved

How to setup exchange spf under these conditions?

Posted on 2011-09-12
9
765 Views
Last Modified: 2012-08-13
I have a customer using exchange 2003 within SBS2003 in a server using a fixed IP address. They have 3 .org domains that can receive mail.  They have a website but it is not hosted by the same server, but on a totally different address, with all A records pointing to the website address.  All mail delivered to the .org domain names is filtered by a third party (AppRiver) which does the filtering by the following method: the exchange server is given several AppRiver IP addresses as the exclusive sources of any email. The MX records (2) are setup to transfer mail to AppRiver forany of the .org domain names.  AppRiver sends filtered mail then to the fixed IP address of the exchange server.  This all works very well.
The problem and question is this:  Some important contacts mailservers are rejecting email sent from the exchange server due to spf test failure.  Can anyone provide a step-by-step method to add spf to this server?   For expediancy, I am not accepting references to websites or books as a solution, I already am aware of them.
0
Comment
Question by:vaayuratha
9 Comments
 
LVL 11

Expert Comment

by:TheGeezer2010
ID: 36522240
The only question you need to answer is HOW do receiving mail servers see the sending server - do they see the IP address of your SBS server (port 25), or do you send your mail directly to a Smart Host ?

Please advise whether you are using the default SMTP VS to send mail, or if you have an SMTP connector to do this ? Subsequently, please advise if you are sending using your own DNS servers (i.e. you resolve the external MX records directly on your own DNS servers), or if you are sending mail to a Smart Host.

If, the former, YOU must create and publish your own SPF record, if the latter, you must ask the ISP which hosts the Smart Host to create the SPF record to point back to whatever your sending SMTP server resolves to for external mail servers.

I hope that is straightforward enough for you to act upon.
0
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 500 total points
ID: 36522262
You do not add SPF records to your server (usually.) you add them to your public DNS host and the record REFERENCES your server.

Also, to be 100% honest, you want a step by step, but don't want to follow any otpf the step by step instructions already published on the web. That is asking us to reinvent the wheel. This is LESS expedient, not moreso. And you haven't provided the necessary level of detail to get a thorough step by step, but more of an overview. So, while I attempt to do so below, realize I am confined by the information you chose to provide and chose not to.

1) log into your public DNS provider. This may be your domain name registrar, your website host, a 3rd party, or in rare cases a server on your network, all depending on how you previously set up DNS for your domain name.

2) create a new TXT record.

3) create SPF text based on servers allowed to SEND on your domain's behalf. Several tools exist to do this, such as this one: http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/

4) paste the SPF text into the TXT record.

5) test your new LIVE record for syntax errors and that is providesnthe expected info, tools exist to do so. http://www.kitterman.com/spf/validate.html


Done. SPF should now be live for your domain.
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 36522279
@thegeezer: SPF works based on a lookup of the domain in the senders FROM address, so even with a smarthost setup, it is far mor common that DNS needs to be handled by the domain owner, notnthe ISP. A smarthost doesn't significantly change how SPF works or how lookups occur. Just an FYI.

-Cliff
0
 
LVL 22

Expert Comment

by:chakko
ID: 36522347
Without more info I will post this as a guess.

Your DNS TXT record should be this

"v=spf1 ip4:192.168.0.1 mx -all"


substitute your static IP address (your Exchange public IP address) in the above ip4: part

mx is for allowing the mail servers in your mx records to be able to send mail also.

If only your Exchange server is sending mail for your domains then you can remove the mx if you like

put that TXT record into the zone for each of your domains DNS server


0
Too many email signature changes to deal with?

Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

 
LVL 11

Expert Comment

by:TheGeezer2010
ID: 36522524
@cliff - having worked for many years with Microsoft customers, one of the regularly encountered issues is that ISPs which are used as Smart Hosts, host all records including A records for the end user organizations - hence problems with them not having )or having incorrect) PTR records which fail on reverse lookup. In these cases the ISP would also need to host the SPF records.

All the end user does is pass ALL of their mail to one or more IP addresses - the ISP then forwards the mail and they hold the Public A and PTR records which point to THEIR OWN servers. I think you will see that in this case, the SPF records would need to be published via their DNS servers ?
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 36522550
PTR records and SPF records are unrelated. Thus an A record fir an ISPs smarthost is also unrelated. It is all about the domain name of the sender's address. In done cases the ISP foes control that DNS as well, but these are also places where you often see POP3 still being used and in such instances, SPF is the least of an admin's problems.

So, possible? Yes. Likely? Not very likely at all.

-Cliff
0
 
LVL 11

Expert Comment

by:TheGeezer2010
ID: 36522673
I am aware they are technically unrelated, the point I was making is that in many cases, the ISP which is responsible for the A and PTR records is ultimately responsible for ALL DNS issues for the domain. These are hardly unusual. As an example, from a reputable source here please see GFI's response

http://kbase.gfi.com/showarticle.asp?id=KBID003567

The proof in this case is whether the ISP is responsible for the case here or not, so lets see. Ultimately, if what you have said resolves or what i have said resolves it is immaterial to me, the important thing is that it is resolved.
0
 

Author Closing Comment

by:vaayuratha
ID: 36523307
over the span of a couple hours, several people gave definitive answers.  I thank everyone for contributing.  I am closing this and awarding to the first complete answer
0
 
LVL 11

Expert Comment

by:TheGeezer2010
ID: 36523470
Glad you got it sorted
0

Featured Post

Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now