Solved

SPF Items

Posted on 2012-03-12
6
787 Views
Last Modified: 2012-03-14
We have our own Exchange 2003 mail server running on Windows Server 2003 and have never configured SPF records.  Our email addresses are @domain1.com but our mail server is mail.domain2.com in the MX record for domain2.com.  We also use Trend Micro for inbound email filtering only, so the MX for domain1.com is Trend's inbound.  Domain2 is hosted by GoDaddy and domain1 by tkcars.  Our ISP is Windstream.  If I need to add an SPF, do I need to do it for the domain1 domain or domain2 or both?  What should it look like?  mail.domain2.com has one public IP address but the A record for domain2 is another IP address, so I presume it would look like: "v=spf1 a:mail.domain2.com -all".  Do I just add this for domain2 on GoDaddy's console or do I need Windstream to also add it.  Perhaps I've configured it wrong, but I have Windstream's DNS servers as the forwarders on our internal DNS for domain1 and domain2 (since they're under the same DNS server), not GoDaddy or tkcars.
0
Comment
Question by:fabiouness
  • 3
  • 2
6 Comments
 
LVL 6

Expert Comment

by:FdpxAP-GJL
Comment Utility
Hi,

SPF is for outbound email, ie the Sender.

The exchange server is receiving email for domain 1. Is it sending for domain 1 or is it forwarding through a host?

If it is sending direct, then the SPF  needs to contain the IP address / DNS record of the exchange server

For example

Exchange server sends for domain sample.test
Real world IP is  17.243.87.124
It is the ONLY machine that sends out email for the sample.test domain

Therefore SPF would be posted under DNS of records of domain sample.test and would be something like

"v=spf1 a:17.243.87.124 -all"

If exchange server had a DNS entry
Exchange.host.test
then the SPF record could be

"v=spf1 a:Exchange.host.test  -all"

Note if you are using DNS records make sure you have the revers lookup working. It caught me out recently.

So in summary, SPF for email domain has to do in that domain's DNS entries, and must point to machine sending email.

Regards

Gordon
0
 

Author Comment

by:fabiouness
Comment Utility
Our exchange server is receiving mail from Trend's inbound server for domain1.  No one knows about domain2 because email addresses show up as @domain1.com.  So, the exchange server sends for domain1 and there is a secondary SMTP address for each email user on the system for @domain2.com but the outside world only sees @domain1.com.  The OWA site for email is mail.domain2.com and this is also the MX record for domain2.com.  So you're saying I need to place the SPF record with the public IP of mail.domain2.com at the DNS host's site.  Based on my original question, I presume this would be GoDaddy since it hosts domain2.com and not Windstream?  And to address the adjunct question, should I change my internal DNS forwarders to GoDaddy's DNS servers instead of Windstream's?
0
 
LVL 25

Accepted Solution

by:
DrDave242 earned 500 total points
Comment Utility
If your public e-mail domain is domain1.com, you need to create the SPF record in the public domain1.com DNS forward lookup zone.  If that domain is hosted by GoDaddy, that's where you'll need to go to create the record.  (I'm pretty sure their console allows you to create an SPF record, although I don't have a domain hosted by them, so I can't say for certain.)

The contents of the record can depend on what else you've got in that public DNS zone.  If your mail server has a host record in that zone, the a mechanism without any parameters will suffice (v=spf1 a -all), as it will check all of those host records to make sure one matches.  If you want to specify a hostname with a:mail.domain1.com, you can, but it's not necessary.

If, on the other hand, you want to specify the public IP address of your mail server, you'll need to use the ip4 mechanism rather than a.  If your public address were 1.2.3.4, the resulting record would be v=spf1 ip4:1.2.3.4 -all.

You have a lot of other options too, but these are the simplest.  A good overview of the SPF syntax is here.

Regarding your DNS forwarders, it doesn't matter much which ones you use.  As long as everything is configured correctly, any public DNS server should be able to answer a query for anything in the public namespace.  You may want to do some performance testing and go with whichever set of servers gives you the quickest response (though they should both be pretty quick).
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Closing Comment

by:fabiouness
Comment Utility
Thanks for the assistance!  As a follow up, if a third-party marketing firm was pulling data from our ADP DMS and sending emails through our system and asks that we create an SPF record for their IP and domain name in our DNS, is that going to conflict with the one for ours that specifies only one public IP?
0
 
LVL 25

Expert Comment

by:DrDave242
Comment Utility
Do the e-mails that they send have your domain or theirs in the "From" field?  If it's your domain and they're sent by a server different from what's in your SPF record, that server will need to be added to your record (as long as you trust that they won't be spamming in your name, of course).  Adding it won't cause a conflict with what you've already got there; you can add as many servers to the record as you need.

If their e-mails show a different domain in the "From" field, it'll be up to them to create the necessary SPF record, because it'll have to reside in that domain's public DNS zone rather than yours.
0
 

Author Comment

by:fabiouness
Comment Utility
I just found out that the third-party is actually sending the emails from their own server based on addresses found in the files they pull off our DMS, so then that's up to them to deal with the SPF.  Thanks again, though.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now