How to setup exchange spf under these conditions?

Posted on 2011-09-12
Last Modified: 2012-08-13
I have a customer using exchange 2003 within SBS2003 in a server using a fixed IP address. They have 3 .org domains that can receive mail.  They have a website but it is not hosted by the same server, but on a totally different address, with all A records pointing to the website address.  All mail delivered to the .org domain names is filtered by a third party (AppRiver) which does the filtering by the following method: the exchange server is given several AppRiver IP addresses as the exclusive sources of any email. The MX records (2) are setup to transfer mail to AppRiver forany of the .org domain names.  AppRiver sends filtered mail then to the fixed IP address of the exchange server.  This all works very well.
The problem and question is this:  Some important contacts mailservers are rejecting email sent from the exchange server due to spf test failure.  Can anyone provide a step-by-step method to add spf to this server?   For expediancy, I am not accepting references to websites or books as a solution, I already am aware of them.
Question by:vaayuratha
LVL 11

Expert Comment

ID: 36522240
The only question you need to answer is HOW do receiving mail servers see the sending server - do they see the IP address of your SBS server (port 25), or do you send your mail directly to a Smart Host ?

Please advise whether you are using the default SMTP VS to send mail, or if you have an SMTP connector to do this ? Subsequently, please advise if you are sending using your own DNS servers (i.e. you resolve the external MX records directly on your own DNS servers), or if you are sending mail to a Smart Host.

If, the former, YOU must create and publish your own SPF record, if the latter, you must ask the ISP which hosts the Smart Host to create the SPF record to point back to whatever your sending SMTP server resolves to for external mail servers.

I hope that is straightforward enough for you to act upon.
LVL 56

Accepted Solution

Cliff Galiher earned 500 total points
ID: 36522262
You do not add SPF records to your server (usually.) you add them to your public DNS host and the record REFERENCES your server.

Also, to be 100% honest, you want a step by step, but don't want to follow any otpf the step by step instructions already published on the web. That is asking us to reinvent the wheel. This is LESS expedient, not moreso. And you haven't provided the necessary level of detail to get a thorough step by step, but more of an overview. So, while I attempt to do so below, realize I am confined by the information you chose to provide and chose not to.

1) log into your public DNS provider. This may be your domain name registrar, your website host, a 3rd party, or in rare cases a server on your network, all depending on how you previously set up DNS for your domain name.

2) create a new TXT record.

3) create SPF text based on servers allowed to SEND on your domain's behalf. Several tools exist to do this, such as this one:

4) paste the SPF text into the TXT record.

5) test your new LIVE record for syntax errors and that is providesnthe expected info, tools exist to do so.

Done. SPF should now be live for your domain.
LVL 56

Expert Comment

by:Cliff Galiher
ID: 36522279
@thegeezer: SPF works based on a lookup of the domain in the senders FROM address, so even with a smarthost setup, it is far mor common that DNS needs to be handled by the domain owner, notnthe ISP. A smarthost doesn't significantly change how SPF works or how lookups occur. Just an FYI.

LVL 22

Expert Comment

ID: 36522347
Without more info I will post this as a guess.

Your DNS TXT record should be this

"v=spf1 ip4: mx -all"

substitute your static IP address (your Exchange public IP address) in the above ip4: part

mx is for allowing the mail servers in your mx records to be able to send mail also.

If only your Exchange server is sending mail for your domains then you can remove the mx if you like

put that TXT record into the zone for each of your domains DNS server

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

LVL 11

Expert Comment

ID: 36522524
@cliff - having worked for many years with Microsoft customers, one of the regularly encountered issues is that ISPs which are used as Smart Hosts, host all records including A records for the end user organizations - hence problems with them not having )or having incorrect) PTR records which fail on reverse lookup. In these cases the ISP would also need to host the SPF records.

All the end user does is pass ALL of their mail to one or more IP addresses - the ISP then forwards the mail and they hold the Public A and PTR records which point to THEIR OWN servers. I think you will see that in this case, the SPF records would need to be published via their DNS servers ?
LVL 56

Expert Comment

by:Cliff Galiher
ID: 36522550
PTR records and SPF records are unrelated. Thus an A record fir an ISPs smarthost is also unrelated. It is all about the domain name of the sender's address. In done cases the ISP foes control that DNS as well, but these are also places where you often see POP3 still being used and in such instances, SPF is the least of an admin's problems.

So, possible? Yes. Likely? Not very likely at all.

LVL 11

Expert Comment

ID: 36522673
I am aware they are technically unrelated, the point I was making is that in many cases, the ISP which is responsible for the A and PTR records is ultimately responsible for ALL DNS issues for the domain. These are hardly unusual. As an example, from a reputable source here please see GFI's response

The proof in this case is whether the ISP is responsible for the case here or not, so lets see. Ultimately, if what you have said resolves or what i have said resolves it is immaterial to me, the important thing is that it is resolved.

Author Closing Comment

ID: 36523307
over the span of a couple hours, several people gave definitive answers.  I thank everyone for contributing.  I am closing this and awarding to the first complete answer
LVL 11

Expert Comment

ID: 36523470
Glad you got it sorted

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Outlook 2016 connecting to SBS 2011 with Exchange 2010 issue... 4 24
Exchange > Office 365 Migration Tools 7 50
Exchange 2010 searching 3 39
Exchange on iphone 16 43
Utilizing an array to gracefully append to a list of EmailAddresses
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now