How to setup exchange spf under these conditions?

I have a customer using exchange 2003 within SBS2003 in a server using a fixed IP address. They have 3 .org domains that can receive mail.  They have a website but it is not hosted by the same server, but on a totally different address, with all A records pointing to the website address.  All mail delivered to the .org domain names is filtered by a third party (AppRiver) which does the filtering by the following method: the exchange server is given several AppRiver IP addresses as the exclusive sources of any email. The MX records (2) are setup to transfer mail to AppRiver forany of the .org domain names.  AppRiver sends filtered mail then to the fixed IP address of the exchange server.  This all works very well.
The problem and question is this:  Some important contacts mailservers are rejecting email sent from the exchange server due to spf test failure.  Can anyone provide a step-by-step method to add spf to this server?   For expediancy, I am not accepting references to websites or books as a solution, I already am aware of them.
Who is Participating?
Cliff GaliherConnect With a Mentor Commented:
You do not add SPF records to your server (usually.) you add them to your public DNS host and the record REFERENCES your server.

Also, to be 100% honest, you want a step by step, but don't want to follow any otpf the step by step instructions already published on the web. That is asking us to reinvent the wheel. This is LESS expedient, not moreso. And you haven't provided the necessary level of detail to get a thorough step by step, but more of an overview. So, while I attempt to do so below, realize I am confined by the information you chose to provide and chose not to.

1) log into your public DNS provider. This may be your domain name registrar, your website host, a 3rd party, or in rare cases a server on your network, all depending on how you previously set up DNS for your domain name.

2) create a new TXT record.

3) create SPF text based on servers allowed to SEND on your domain's behalf. Several tools exist to do this, such as this one:

4) paste the SPF text into the TXT record.

5) test your new LIVE record for syntax errors and that is providesnthe expected info, tools exist to do so.

Done. SPF should now be live for your domain.
The only question you need to answer is HOW do receiving mail servers see the sending server - do they see the IP address of your SBS server (port 25), or do you send your mail directly to a Smart Host ?

Please advise whether you are using the default SMTP VS to send mail, or if you have an SMTP connector to do this ? Subsequently, please advise if you are sending using your own DNS servers (i.e. you resolve the external MX records directly on your own DNS servers), or if you are sending mail to a Smart Host.

If, the former, YOU must create and publish your own SPF record, if the latter, you must ask the ISP which hosts the Smart Host to create the SPF record to point back to whatever your sending SMTP server resolves to for external mail servers.

I hope that is straightforward enough for you to act upon.
Cliff GaliherCommented:
@thegeezer: SPF works based on a lookup of the domain in the senders FROM address, so even with a smarthost setup, it is far mor common that DNS needs to be handled by the domain owner, notnthe ISP. A smarthost doesn't significantly change how SPF works or how lookups occur. Just an FYI.

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Without more info I will post this as a guess.

Your DNS TXT record should be this

"v=spf1 ip4: mx -all"

substitute your static IP address (your Exchange public IP address) in the above ip4: part

mx is for allowing the mail servers in your mx records to be able to send mail also.

If only your Exchange server is sending mail for your domains then you can remove the mx if you like

put that TXT record into the zone for each of your domains DNS server

@cliff - having worked for many years with Microsoft customers, one of the regularly encountered issues is that ISPs which are used as Smart Hosts, host all records including A records for the end user organizations - hence problems with them not having )or having incorrect) PTR records which fail on reverse lookup. In these cases the ISP would also need to host the SPF records.

All the end user does is pass ALL of their mail to one or more IP addresses - the ISP then forwards the mail and they hold the Public A and PTR records which point to THEIR OWN servers. I think you will see that in this case, the SPF records would need to be published via their DNS servers ?
Cliff GaliherCommented:
PTR records and SPF records are unrelated. Thus an A record fir an ISPs smarthost is also unrelated. It is all about the domain name of the sender's address. In done cases the ISP foes control that DNS as well, but these are also places where you often see POP3 still being used and in such instances, SPF is the least of an admin's problems.

So, possible? Yes. Likely? Not very likely at all.

I am aware they are technically unrelated, the point I was making is that in many cases, the ISP which is responsible for the A and PTR records is ultimately responsible for ALL DNS issues for the domain. These are hardly unusual. As an example, from a reputable source here please see GFI's response

The proof in this case is whether the ISP is responsible for the case here or not, so lets see. Ultimately, if what you have said resolves or what i have said resolves it is immaterial to me, the important thing is that it is resolved.
vaayurathaAuthor Commented:
over the span of a couple hours, several people gave definitive answers.  I thank everyone for contributing.  I am closing this and awarding to the first complete answer
Glad you got it sorted
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.