Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Adding proper SPF Records for our Domains

Posted on 2013-01-25
5
Medium Priority
?
2,382 Views
1 Endorsement
Last Modified: 2013-01-28
Our organization uses Office 365 for our primary domain Email addresses. Let's call this domain ourdomain.com.

However, due to the daily outbound message limit imposed by 365, we've set up in-house Exchange 2003 server to handle our statement emails to our customers. These Emails are sent from ourdomain.net Email addresses.

But we notice some Email messages (sent from in-house ourdomain.net addresses) are bouncing back because of invalid SPF record and reverse DNS mismatch.

Reverse DNS for the IP belonging to ourdomain.net currently still returns mail.ourdomain.com.
This is because prior to switching over to 365, we were using our in-house Exchange server for mail services for our primary domain ourdomain.com.

I know I can call our ISP and have this updated and I'm pretty sure that this won't affect 365.
But my main concerns or question is with what should the SPF records read for both ourdomain.com and ourdomain.net domains to ensure that:

Our In-house Exchange server can send Emails using ourdomain.com and ourdomain.net Email addresses without being flagged
Emails sent to and from ourdomain.com (365) are not affected in any way

Can you help me with some recommendation?
Thanks!
1
Comment
Question by:ITDeptAtPCS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 16

Expert Comment

by:choward16980
ID: 38820253
May not be much help, but here's a tutorial for setting up SPF records.  Also, make sure SMTP banner matches your reverse record.
0
 
LVL 41

Accepted Solution

by:
footech earned 1000 total points
ID: 38820632
For your in-house Exchange, for whatever IP those emails appear to be coming from, set up an A record which points to that IP.  The name of record isn't too important, you could use one from either the "ourdomain.net" or the "ourdomain.com" domain, but it'll be a bit simpler to use one in "ourdomain.net".  Then have the ISP create the PTR record for that IP which points at the same FQDN that you used for the A record.  For inbound email, you have to create an MX record for the "ourdomain.net" domain, which will point at the same name that you used for the previously mentioned A record.

I don't know if I've seen anyone block email from a domain that doesn't have an SPF record, but a wrongly configured SPF record is another story.  Do you already have one set up for either domain?
For "ourdomain.com" - from what I've seen the proper SPF record if sending all email from O365 is
v=spf1 include:outlook.com –all

Open in new window

You can modify this to include the info for your in-house Exchange
v=spf1 include:ourdomain.net include:outlook.com –all

Open in new window

or if you didn't want it to rely on the SPF that you have set up for "ourdomain.net", you could define the additional IP you're sending from manually like
v=spf1 ip4:234.234.234.789 include:outlook.com -all

Open in new window


The SPF for "ourdomain.net" could be something like
v=spf1 a:<FQDN> –all .  An example if the IP you're sending from has an A record called "mail.ourdomain.net" that points to it would be:
v=spf1 a:mail.ourdomain.net –all

Open in new window


If you wanted, instead of "-all" you could use "~all" or even "?all" in the records so that if there's a mistake it wouldn't fail the mail.
0
 
LVL 27

Assisted Solution

by:DrDave242
DrDave242 earned 1000 total points
ID: 38820761
The reverse DNS part is pretty simple: just make sure the PTR records and their equivalent host records match up.  So, if the host record for mail.ourdomain.com points to w.x.y.z, make sure the PTR record for w.x.y.z points to mail.ourdomain.com.  Then do the same for mail.ourdomain.net.  And you're right, the ISP is almost always the one who changes the PTR record.

SPF is a little more complex, but it's not that bad.  The purpose of SPF is to list the servers that are authorized to send mail from a particular domain.  Since you've got two e-mail domains (ourdomain.com and ourdomain.net), you'll need two SPF records, one for each domain.

The record for ourdomain.net will be pretty simple if your Exchange server is the only one sending mail from that domain.  There are several ways to configure the record to refer to your server, but if your domain has an MX record that refers to that server (i.e., if the server is used for inbound and outbound mail), your SPF record can look like this:

v=spf1 +mx -all

Open in new window

This means that only the servers specified in your domain's MX records are authorized to send mail.  Mail from your domain that gets sent by any other server will fail an SPF check.  (You can use ~all instead of -all if you want it to "softfail" instead of fail outright.  What actually happens to messages that fail or softfail is up to the receiving server.)

The record for ourdomain.com is probably already configured, since you don't seem to be having trouble with messages sent from that domain, but you may need to add a mechanism to specify your Exchange server if you're going to use it and Office 365 to send mail from that domain.  The simplest way will probably be to refer to its public IPv4 address with the +ip4:<address> mechanism.

This is a good overview of SPF record syntax and how the various mechanisms work, if you're interested.

Also note that there are wizards on the Internet that will assist you in configuring an SPF record.  They will get the job done, but the records they generate are typically a lot more complex than they need to be.
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 38825033
The Microsoft SPF generator seems ok, it came up with the same thing I did manually.  http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/
0
 
LVL 1

Author Closing Comment

by:ITDeptAtPCS
ID: 38827892
Thanks guys! Footech and DrDave provided the detailed and specific answers I was hoping to get.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
This article outlines some of the reasons why an email message gets flagged as spam on a recipient's end.
Familiarize people with the process of utilizing SQL Server functions from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Microsoft Ac…
Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…
Suggested Courses

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question