Exchange 2007 Send Connectors, SPF and MX and Multiple Domains

Hello,

I am using SBS2008 with Exchange 2007, I have set up three domains to send and receive from different user accounts…

user A > domain A
user B > domain B
user C > domain C

The MX record for all the domains point to…
Domain A > remote.domainA.com > 217.217.217.217
Domain B > remote.domainB.com > 217.217.217.217
Domain C > remote.domainC.com > 217.217.217.217

SPF Records
domainA.com                          >               v=spf1 mx –all
remote.domainA.com          >                       v=spf1 mx –all

domainB.com                          >               v=spf1 mx ip4:217.217.217.217 –all
remote.domainB.com          >                       v=spf1 mx ip4:217.217.217.217 –all

domain.com                         >                v=spf1 mx ip4: 217.217.217.217 –all
remote.domainC.com          >                        v=spf1 mx ip4: 217.217.217.217 –all

Exchange has been set up for DomainA ie..

Receive Connectors

Default SERVER                                                        FQDN > SERVER.localdomain.local
Windows SBS Fax Sharepoint Receive SERVER      FQDN > SERVER.localdomain.local
Windows SBS Internet Receive SERVER                   FQDN > remote.domainA.com

Send Connector

Windows SBS Internet Send SERVER             FQDN > remote.domainA.com

Email is routed through DNS not Smart hosts

Some of our emails from domainB and domainC are not being delivered or turning up as spam, all emails from all three domain pass SPF checks.

My questions are:-

Have I got exchange set up correctly to host multiple domains. Should there be a send connector for each domain as well as a receive connector for each? I have added the domains as Authoritative ones and created email policies and assigned them to companies using ADUC

Have I set up the MX records correctly in DNS or should all three DNS entries at our hosting company point solely to remote.domainA.com and IP 217.217.217.217 so should domainB and domainC's MX record be remote.domainA.com > 217.217.217.217

Have I set up the SPF records correctly, I did them this way because all the domains seem to be sending through the same send connector and I'm a little shaky on SPF if I'm honest, I don’t think I need the ip4: tag in the SPF as MX resolves to that IP, I put it in because email from domainB looks like its sent from domainA  and that configuration seems to work

Am I way short of the mark on how Exchange needs to be set up for multiple domains or am I nearly there, your input would be gratefully received

Thank you for persevering with such a long post.

Dave
LVL 1
DeclaroAsked:
Who is Participating?
 
PapertripConnect With a Mentor Commented:
I'm going to talk on everything except the Exchange-specific stuff such as send connectors.

Have I set up the MX records correctly in DNS or should all three DNS entries at our hosting company point solely to remote.domainA.com and IP 217.217.217.217 so should domainB and domainC's MX record be remote.domainA.com > 217.217.217.217

The MX record for all the domains point to…
Domain A > remote.domainA.com > 217.217.217.217
Domain B > remote.domainB.com > 217.217.217.217
Domain C > remote.domainC.com > 217.217.217.217
All the MX record does it tells servers where to send mail for a specific domain.  The domain of the MX record itself does not need to match the domain of the zonefile it is in.  So you can set MX records domainA/B/C to all point to remote.domainA.com.

Have I set up the SPF records correctly, I did them this way because all the domains seem to be sending through the same send connector and I'm a little shaky on SPF if I'm honest, I don’t think I need the ip4: tag in the SPF as MX resolves to that IP, I put it in because email from domainB looks like its sent from domainA  and that configuration seems to work

This is what the SPF record should look like for domainA/B/C (they should all look the same if being sent from the same IP).
"v=spf1 ip4:217.217.217.217 ~all"

Open in new window


I recommend SPF softfail + DKIM as opposed to SPF hardfail.  SPF hardfail will break forwarding 100% of the time.  If you want specifics about SPF let me know.


0
 
PapertripCommented:
Don't use mechanisms such as "a" "mx" and "ptr" in your SPF record, especially if there is only 1 sending IP, all that does is require more DNS lookups per SPF query.
0
 
DeclaroAuthor Commented:
when you say hardfail will break forwarding 100% of the time do you mean if someone forwards your message to another party it will not get through? (Sorry if its a dim question) Dont some servers reject the mail for being softfail or is it passed because its coming from the correct IP and isn't it open to abuse by spammers

Is DKIM difficult to implement, as you can probably tell i'm not brilliant with exchange and mail protocols

Thank you for helping with my questions
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
PapertripCommented:
That is most definitely not a dim question!  I didn't explain everything in detail in my last reply because honestly I didn't want to explain a million things that you may already understand.

Yes that is exactly what I mean about forwarding breaking.

Dont some servers reject the mail for being softfail or is it passed because its coming from the correct IP and isn't it open to abuse by spammers
What softfail says is if the sending IP is not listed in the SPF record, to consider that SPF check to be suspicious, and require it to pass another level of authentication such as DK or DKIM.
Is DKIM difficult to implement, as you can probably tell i'm not brilliant with exchange and mail protocols
Generally, no.  DKIM is very straight forward and should be quite easy to implement into any environment.  However!  I do not admin an Exchange server so I don't know the process there, but I found a link here that says it is not supported natively.  Perhaps someone else can give some real-world experience on how they implemented it into Exchange.

Check out this reply I made the other day about softfail vs. hardfail --  It's not a very technical answer but should get the point across.

Here's how most receiving servers do validation in regards to SPF+DKIM.  Not including ADSP in this example for simplicity sake.

If SPF passes, continue to DATA portion
If SPF fails, reject message.
If SPF is neutral or softfail, continue to DATA and check DKIM.  Reject if failed, deliver if passed.
0
 
PapertripCommented:
Dont some servers reject the mail for being softfail or is it passed because its coming from the correct IP and isn't it open to abuse by spammers

What softfail says is if the sending IP is not listed in the SPF record, to consider that SPF check to be suspicious, and require it to pass another level of authentication such as DK or DKIM.

I should mention this as well from the RFC for SPF:

2.5.5.  SoftFail

   A "SoftFail" result should be treated as somewhere between a "Fail"
   and a "Neutral".  The domain believes the host is not authorized but
   is not willing to make that strong of a statement.  Receiving
   software SHOULD NOT reject the message based solely on this result,
   but MAY subject the message to closer scrutiny than normal.

If a receiving server is rejecting mail based solely on an SPF softfail, then they are doing it wrong, plain and simple.  As I mentioned in one of the links I posted to a prior answer of mine, is that "you can't fix all the stupid" when it comes to receiving servers.  In the end, the local admin will setup the policies as they see fit, which can unfortunately cause problems for you even if you follow RFC to a T.
0
 
DeclaroAuthor Commented:
Thanks for the help with this, i'm going to leave it open for a while to see if I get any Exchange specific help but for future reference for people I found this http://www.korteksolutions.com/lyle/ which goes into some detail about multiple domains in Exchange 2007 but unfortunately not about send connectors etc

Thank you :)
0
 
PapertripCommented:
Sounds good, good luck!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.