Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

N00B SBS2011 Exchange SPF

Posted on 2012-08-10
12
Medium Priority
?
1,096 Views
Last Modified: 2012-08-10
Iv recently deployed SBS2011 and we are in the process of migrating our email from Yahoo Business to our exchange server.  Unfortunately i have to use the pop connector in exchange because many remote users rely on yahoo's pop/smtp email hosting.  Our exchange server isn't hardened up yet and Im not comfortable opening up the web faced OWA and remote stuff quite yet.  The problem is yahoo doesnt have a smart host and email is getting black listed because reverse DNS snoops on the domain is resolving to Yahoos servers and not ours obviously.  I spoke with Yahoo and they told me to give them the SPF record and they would add it to DNS on their servers. Here is what I think I should give them:

 v=spf1 mx include:<my static ip address> ~all

Will this work?

My domain is hosted by Yahoo so my MX records curretnly point to their servers.  I'll change it once Exchange is ready to completely host mail but for now it has to stay....

HELP
0
Comment
Question by:Hir0
  • 5
  • 4
  • 3
12 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38281004
SPF isn't going to help you if Reverse DNS is failing.

Reverse DNS is configured on your IP Address by your ISP and the name added as your Reverse DNS record needs to resolve back to the IP Address you are sending from.

So - for now, you can create a new A record called for example - send.yourdomain.com and then add this as your Reverse DNS record (call your ISP) and then as long as your A record in DNS points to your Public IP Address, you should pass a Reverse DNS check.
0
 
LVL 33

Expert Comment

by:Exchange_Geek
ID: 38281012
Yes it would, you'll have to add IP of the external IP of your environment

For example if here is your mail flow

Exchange --> A/V --> firewall

So, within SPF you'll add

v=spf1 mx include:<internet facing IP Adress of firewall> ~all

that is it.

Regards,
Exchange_Geek
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38281023
If you don't have an SPF record currently - that won't be the problem.  If you do - then an SPF record isn't going to cause you problems with Reverse DNS.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 3

Author Comment

by:Hir0
ID: 38281041
Thanks guys

@Exchange Geek

My users were getting the following message

att.net gave this error:
xx.xxx.xxx.xx blocked by sbc:blacklist.mailrelay.att.net. DNSRBL: Blocked for abuse. See http://att.net/blocks 

According to you I would just tell yahoo to add the following spf record?

v=spf1 mx include:xx.xxx.xxx.xx ~all

Open in new window


The xx.xxx.xxx.xx represents my public static IP
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 150 total points
ID: 38281055
That's because your IP Address is Blacklisted - not to do with SPF or Reverse DNS.

Why is it blacklisted?  Check on www.mxtoolbox.com/blacklists.aspx and www.blacklistalert.org

Extract from their website (http://dnsrbl.net/):

Domain Name System Real-time Black List
DNSRBL is an anti-SPAM system. We publish, via DNS, a list of IP addresses of machines that we know to be either direct SPAM sources or Dial-up (dynamic address) pools which would never be a source of non-SPAM eMail. Some users may choose to use our lists to block or add warnings to email. Neither of these facts directly relate to us; we simply publish a list of known SPAM sites.
0
 
LVL 33

Expert Comment

by:Exchange_Geek
ID: 38281062
Yes Hiro

Regards,
Exchange_Geek
0
 
LVL 3

Author Comment

by:Hir0
ID: 38281236
Thanks, Ill give this a go
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38281269
If you decide to carry on ignoring me I'll happily add you to my list of Askers who I don't get notifications for.  I'm not bothered either way.  I have better things to do with my time than try to help people who ignore me.
0
 
LVL 3

Author Comment

by:Hir0
ID: 38281610
Ok, Called Yahoo and added "v=spf1 mx include:<ip> ~all" to DNS.  I was reading http://www.openspf.org/SPF_Record_Syntax and wondering if I got the syntax correct?  

Im a little worried after reading the Include mechanism.  Is there anything else I might need to do on my end?

The "include" mechanism (edit)
include:<domain>
The specified domain is searched for a match. If the lookup does not return a match or an error, processing proceeds to the next directive. Warning: If the domain does not have a valid SPF record, the result is a permanent error. Some mail receivers will reject based on a PermError.

Examples:

In the following example, the client IP is 1.2.3.4 and the current-domain is example.com.

"v=spf1 include:example.com -all"

If example.com has no SPF record, the result is PermError.
Suppose example.com's SPF record were "v=spf1 a -all".
Look up the A record for example.com. If it matches 1.2.3.4, return Pass.
If there is no match, other than the included domain's "-all", the include as a whole fails to match; the eventual result is still Fail from the outer directive set in this example.
Trust relationships — The "include:" mechanism is meant to cross administrative boundaries. Great care is needed to ensure that "include:" mechanisms do not place domains at risk for giving SPF Pass results to messages that result from cross user forgery. Unless technical mechanisms are in place at the specified otherdomain to prevent cross user forgery, "include:" mechanisms should give a Neutral rather than Pass result. This is done by adding "?" in front of "include:". The example above would be:

"v=spf1 ?include:example.com -all"
In hindsight, the name "include" was poorly chosen. Only the evaluated result of the referenced SPF record is used, rather than acting as if the referenced SPF record was literally included in the first. For example, evaluating a "-all" directive in the referenced record does not terminate the overall processing and does not necessarily result in an overall Fail. (Better names for this mechanism would have been "if-pass", "on-pass", etc.)
0
 
LVL 3

Author Comment

by:Hir0
ID: 38281636
@ alan
I forgot to assign my static IP to the router and the IP in question was dynamically assigned.  I assume this is why my users got that message.  I have since changed it to the static IP which resolved the issue sending to ATT but Im still going down the rabbit hole for reverse dns snooping.  Not ignoring you.
0
 
LVL 33

Accepted Solution

by:
Exchange_Geek earned 1350 total points
ID: 38281639
Your syntax should be v=spf1 mx ip4=ipaddress ~all

Regards,
Exchange_Geek
0
 
LVL 3

Author Closing Comment

by:Hir0
ID: 38281908
Verified SPF on MXtoolbox, hopefully this works for the interim.  Thanks all!
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The main intent of this article is to make you aware of ‘Exchange fail to mount’ error, its effects, causes, and solution.
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Suggested Courses
Course of the Month20 days, 17 hours left to enroll

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question