N00B SBS2011 Exchange SPF

Iv recently deployed SBS2011 and we are in the process of migrating our email from Yahoo Business to our exchange server.  Unfortunately i have to use the pop connector in exchange because many remote users rely on yahoo's pop/smtp email hosting.  Our exchange server isn't hardened up yet and Im not comfortable opening up the web faced OWA and remote stuff quite yet.  The problem is yahoo doesnt have a smart host and email is getting black listed because reverse DNS snoops on the domain is resolving to Yahoos servers and not ours obviously.  I spoke with Yahoo and they told me to give them the SPF record and they would add it to DNS on their servers. Here is what I think I should give them:

 v=spf1 mx include:<my static ip address> ~all

Will this work?

My domain is hosted by Yahoo so my MX records curretnly point to their servers.  I'll change it once Exchange is ready to completely host mail but for now it has to stay....

HELP
LVL 3
Hir0Asked:
Who is Participating?
 
Exchange_GeekCommented:
Your syntax should be v=spf1 mx ip4=ipaddress ~all

Regards,
Exchange_Geek
0
 
Alan HardistyCo-OwnerCommented:
SPF isn't going to help you if Reverse DNS is failing.

Reverse DNS is configured on your IP Address by your ISP and the name added as your Reverse DNS record needs to resolve back to the IP Address you are sending from.

So - for now, you can create a new A record called for example - send.yourdomain.com and then add this as your Reverse DNS record (call your ISP) and then as long as your A record in DNS points to your Public IP Address, you should pass a Reverse DNS check.
0
 
Exchange_GeekCommented:
Yes it would, you'll have to add IP of the external IP of your environment

For example if here is your mail flow

Exchange --> A/V --> firewall

So, within SPF you'll add

v=spf1 mx include:<internet facing IP Adress of firewall> ~all

that is it.

Regards,
Exchange_Geek
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Alan HardistyCo-OwnerCommented:
If you don't have an SPF record currently - that won't be the problem.  If you do - then an SPF record isn't going to cause you problems with Reverse DNS.
0
 
Hir0Author Commented:
Thanks guys

@Exchange Geek

My users were getting the following message

att.net gave this error:
xx.xxx.xxx.xx blocked by sbc:blacklist.mailrelay.att.net. DNSRBL: Blocked for abuse. See http://att.net/blocks 

According to you I would just tell yahoo to add the following spf record?

v=spf1 mx include:xx.xxx.xxx.xx ~all

Open in new window


The xx.xxx.xxx.xx represents my public static IP
0
 
Alan HardistyCo-OwnerCommented:
That's because your IP Address is Blacklisted - not to do with SPF or Reverse DNS.

Why is it blacklisted?  Check on www.mxtoolbox.com/blacklists.aspx and www.blacklistalert.org

Extract from their website (http://dnsrbl.net/):

Domain Name System Real-time Black List
DNSRBL is an anti-SPAM system. We publish, via DNS, a list of IP addresses of machines that we know to be either direct SPAM sources or Dial-up (dynamic address) pools which would never be a source of non-SPAM eMail. Some users may choose to use our lists to block or add warnings to email. Neither of these facts directly relate to us; we simply publish a list of known SPAM sites.
0
 
Exchange_GeekCommented:
Yes Hiro

Regards,
Exchange_Geek
0
 
Hir0Author Commented:
Thanks, Ill give this a go
0
 
Alan HardistyCo-OwnerCommented:
If you decide to carry on ignoring me I'll happily add you to my list of Askers who I don't get notifications for.  I'm not bothered either way.  I have better things to do with my time than try to help people who ignore me.
0
 
Hir0Author Commented:
Ok, Called Yahoo and added "v=spf1 mx include:<ip> ~all" to DNS.  I was reading http://www.openspf.org/SPF_Record_Syntax and wondering if I got the syntax correct?  

Im a little worried after reading the Include mechanism.  Is there anything else I might need to do on my end?

The "include" mechanism (edit)
include:<domain>
The specified domain is searched for a match. If the lookup does not return a match or an error, processing proceeds to the next directive. Warning: If the domain does not have a valid SPF record, the result is a permanent error. Some mail receivers will reject based on a PermError.

Examples:

In the following example, the client IP is 1.2.3.4 and the current-domain is example.com.

"v=spf1 include:example.com -all"

If example.com has no SPF record, the result is PermError.
Suppose example.com's SPF record were "v=spf1 a -all".
Look up the A record for example.com. If it matches 1.2.3.4, return Pass.
If there is no match, other than the included domain's "-all", the include as a whole fails to match; the eventual result is still Fail from the outer directive set in this example.
Trust relationships — The "include:" mechanism is meant to cross administrative boundaries. Great care is needed to ensure that "include:" mechanisms do not place domains at risk for giving SPF Pass results to messages that result from cross user forgery. Unless technical mechanisms are in place at the specified otherdomain to prevent cross user forgery, "include:" mechanisms should give a Neutral rather than Pass result. This is done by adding "?" in front of "include:". The example above would be:

"v=spf1 ?include:example.com -all"
In hindsight, the name "include" was poorly chosen. Only the evaluated result of the referenced SPF record is used, rather than acting as if the referenced SPF record was literally included in the first. For example, evaluating a "-all" directive in the referenced record does not terminate the overall processing and does not necessarily result in an overall Fail. (Better names for this mechanism would have been "if-pass", "on-pass", etc.)
0
 
Hir0Author Commented:
@ alan
I forgot to assign my static IP to the router and the IP in question was dynamically assigned.  I assume this is why my users got that message.  I have since changed it to the static IP which resolved the issue sending to ATT but Im still going down the rabbit hole for reverse dns snooping.  Not ignoring you.
0
 
Hir0Author Commented:
Verified SPF on MXtoolbox, hopefully this works for the interim.  Thanks all!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.