?
Solved

Exchange 2007 Send Connectors, SPF and MX and Multiple Domains

Posted on 2011-10-04
7
Medium Priority
?
722 Views
1 Endorsement
Last Modified: 2012-05-12
Hello,

I am using SBS2008 with Exchange 2007, I have set up three domains to send and receive from different user accounts…

user A > domain A
user B > domain B
user C > domain C

The MX record for all the domains point to…
Domain A > remote.domainA.com > 217.217.217.217
Domain B > remote.domainB.com > 217.217.217.217
Domain C > remote.domainC.com > 217.217.217.217

SPF Records
domainA.com                          >               v=spf1 mx –all
remote.domainA.com          >                       v=spf1 mx –all

domainB.com                          >               v=spf1 mx ip4:217.217.217.217 –all
remote.domainB.com          >                       v=spf1 mx ip4:217.217.217.217 –all

domain.com                         >                v=spf1 mx ip4: 217.217.217.217 –all
remote.domainC.com          >                        v=spf1 mx ip4: 217.217.217.217 –all

Exchange has been set up for DomainA ie..

Receive Connectors

Default SERVER                                                        FQDN > SERVER.localdomain.local
Windows SBS Fax Sharepoint Receive SERVER      FQDN > SERVER.localdomain.local
Windows SBS Internet Receive SERVER                   FQDN > remote.domainA.com

Send Connector

Windows SBS Internet Send SERVER             FQDN > remote.domainA.com

Email is routed through DNS not Smart hosts

Some of our emails from domainB and domainC are not being delivered or turning up as spam, all emails from all three domain pass SPF checks.

My questions are:-

Have I got exchange set up correctly to host multiple domains. Should there be a send connector for each domain as well as a receive connector for each? I have added the domains as Authoritative ones and created email policies and assigned them to companies using ADUC

Have I set up the MX records correctly in DNS or should all three DNS entries at our hosting company point solely to remote.domainA.com and IP 217.217.217.217 so should domainB and domainC's MX record be remote.domainA.com > 217.217.217.217

Have I set up the SPF records correctly, I did them this way because all the domains seem to be sending through the same send connector and I'm a little shaky on SPF if I'm honest, I don’t think I need the ip4: tag in the SPF as MX resolves to that IP, I put it in because email from domainB looks like its sent from domainA  and that configuration seems to work

Am I way short of the mark on how Exchange needs to be set up for multiple domains or am I nearly there, your input would be gratefully received

Thank you for persevering with such a long post.

Dave
1
Comment
Question by:Declaro
  • 5
  • 2
7 Comments
 
LVL 21

Accepted Solution

by:
Papertrip earned 2000 total points
ID: 36914963
I'm going to talk on everything except the Exchange-specific stuff such as send connectors.

Have I set up the MX records correctly in DNS or should all three DNS entries at our hosting company point solely to remote.domainA.com and IP 217.217.217.217 so should domainB and domainC's MX record be remote.domainA.com > 217.217.217.217

The MX record for all the domains point to…
Domain A > remote.domainA.com > 217.217.217.217
Domain B > remote.domainB.com > 217.217.217.217
Domain C > remote.domainC.com > 217.217.217.217
All the MX record does it tells servers where to send mail for a specific domain.  The domain of the MX record itself does not need to match the domain of the zonefile it is in.  So you can set MX records domainA/B/C to all point to remote.domainA.com.

Have I set up the SPF records correctly, I did them this way because all the domains seem to be sending through the same send connector and I'm a little shaky on SPF if I'm honest, I don’t think I need the ip4: tag in the SPF as MX resolves to that IP, I put it in because email from domainB looks like its sent from domainA  and that configuration seems to work

This is what the SPF record should look like for domainA/B/C (they should all look the same if being sent from the same IP).
"v=spf1 ip4:217.217.217.217 ~all"

Open in new window


I recommend SPF softfail + DKIM as opposed to SPF hardfail.  SPF hardfail will break forwarding 100% of the time.  If you want specifics about SPF let me know.


0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36914972
Don't use mechanisms such as "a" "mx" and "ptr" in your SPF record, especially if there is only 1 sending IP, all that does is require more DNS lookups per SPF query.
0
 
LVL 1

Author Comment

by:Declaro
ID: 36915010
when you say hardfail will break forwarding 100% of the time do you mean if someone forwards your message to another party it will not get through? (Sorry if its a dim question) Dont some servers reject the mail for being softfail or is it passed because its coming from the correct IP and isn't it open to abuse by spammers

Is DKIM difficult to implement, as you can probably tell i'm not brilliant with exchange and mail protocols

Thank you for helping with my questions
0
Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

 
LVL 21

Expert Comment

by:Papertrip
ID: 36915039
That is most definitely not a dim question!  I didn't explain everything in detail in my last reply because honestly I didn't want to explain a million things that you may already understand.

Yes that is exactly what I mean about forwarding breaking.

Dont some servers reject the mail for being softfail or is it passed because its coming from the correct IP and isn't it open to abuse by spammers
What softfail says is if the sending IP is not listed in the SPF record, to consider that SPF check to be suspicious, and require it to pass another level of authentication such as DK or DKIM.
Is DKIM difficult to implement, as you can probably tell i'm not brilliant with exchange and mail protocols
Generally, no.  DKIM is very straight forward and should be quite easy to implement into any environment.  However!  I do not admin an Exchange server so I don't know the process there, but I found a link here that says it is not supported natively.  Perhaps someone else can give some real-world experience on how they implemented it into Exchange.

Check out this reply I made the other day about softfail vs. hardfail --  It's not a very technical answer but should get the point across.

Here's how most receiving servers do validation in regards to SPF+DKIM.  Not including ADSP in this example for simplicity sake.

If SPF passes, continue to DATA portion
If SPF fails, reject message.
If SPF is neutral or softfail, continue to DATA and check DKIM.  Reject if failed, deliver if passed.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36915059
Dont some servers reject the mail for being softfail or is it passed because its coming from the correct IP and isn't it open to abuse by spammers

What softfail says is if the sending IP is not listed in the SPF record, to consider that SPF check to be suspicious, and require it to pass another level of authentication such as DK or DKIM.

I should mention this as well from the RFC for SPF:

2.5.5.  SoftFail

   A "SoftFail" result should be treated as somewhere between a "Fail"
   and a "Neutral".  The domain believes the host is not authorized but
   is not willing to make that strong of a statement.  Receiving
   software SHOULD NOT reject the message based solely on this result,
   but MAY subject the message to closer scrutiny than normal.

If a receiving server is rejecting mail based solely on an SPF softfail, then they are doing it wrong, plain and simple.  As I mentioned in one of the links I posted to a prior answer of mine, is that "you can't fix all the stupid" when it comes to receiving servers.  In the end, the local admin will setup the policies as they see fit, which can unfortunately cause problems for you even if you follow RFC to a T.
0
 
LVL 1

Author Comment

by:Declaro
ID: 36915095
Thanks for the help with this, i'm going to leave it open for a while to see if I get any Exchange specific help but for future reference for people I found this http://www.korteksolutions.com/lyle/ which goes into some detail about multiple domains in Exchange 2007 but unfortunately not about send connectors etc

Thank you :)
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36915102
Sounds good, good luck!
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
There can be many situations demanding the conversion of Outlook OST files to PST format and as such, there is no shortage of automated tools to perform this conversion. However, what makes Stellar OST to PST converter stand above the rest? Let us e…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question