Solved

How to test SPF - From Field

Posted on 2013-05-21
10
449 Views
Last Modified: 2013-06-01
Hi All,

We have added SPF TXT and its been validated successfully. However, how do we test if it accepts the sender's domain?

We tried testing by going into Outlook and enter our client's email address in the From field, but it returns we do not have permission to send.

Any ideas?
0
Comment
Question by:goraek
10 Comments
 
LVL 17

Expert Comment

by:TimotiSt
ID: 39187721
SPF supports "softfail", which usually results in a warning but no spam score on filters.

For testing, you'll need a recipient account that has SPF filtering, Gmail is one such thing.
So if you send an email to your gmail address, and check the full headers of that email, you'll see something like:
Received-SPF: pass (google.com: domain of SEMA-CR-3-3UP7Q5G@bounce.oracle-mail.com designates 141.146.5.61 as permitted sender) client-ip=141.146.5.61;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of SEMA-CR-3-3UP7Q5G@bounce.oracle-mail.com designates 141.146.5.61 as permitted sender) smtp.mail=SEMA-CR-3-3UP7Q5G@bounce.oracle-mail.com

Open in new window

The above example shows an email from oracle to gmail; it shows that the SPF record checks out fine.
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 39187884
You can also use online tools to test your SPF records. I use

http://mxtoolbox.com/SuperTool.aspx

It has worked well for me in the past
0
 
LVL 77

Expert Comment

by:arnold
ID: 39188627
What is it you are trying to test.  The test is to use an unauthorized mail server to send the message through.
i.e. within SPF record you have an A, MX, PTR records that represent the servers/domains from which a mailing from a sender on this domain is authorized.

Now when you send a test message using a sender of that domain through a different server. The receiving mail server:
First, must have SPF validation functionality enabled
Second, this server's configuration of SPF handling whether it is strict and relies on the SPF record for the sender's domain or whether it merely uses that information as input to "spam" consideration, you would only know when the message is bounced.
0
 
LVL 2

Author Comment

by:goraek
ID: 39189528
We have added the SPF TXT and it validates it ok. However for us to know if it's working, we need to test. This is an example what we have added into the DNS TXT record:

"v=spf1 a mx ip4:<our WAN IP> ip4:<out 2nd WAN IP> include:company1.com.au include:company2.com redirect=spf.company3.net.au ~all"

When we did a test from our WAN IPs, it works successfully, but how do we test with others as they do not have an IP for us to use.

Any ideas?
0
 
LVL 77

Expert Comment

by:arnold
ID: 39189773
SPF is not an absolute.

You can use any external/remote IP and send an email directly to your server I.e. user@yourdomain to user@yourdomain

I think you might be user the wrong impression on what SPF can do.
0
Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

 
LVL 2

Author Comment

by:goraek
ID: 39189883
SPF authorises the sender's mail server.
We have added our IPs and others as well.
If anyone is trying to send an email on behalf of our domain and its not in the SPF record, this will fail.

Anyway, I've got it going and its appearing to be operational.
We've tested from others (not authorised) and its failing, other-hand for authorised its working.
0
 
LVL 26

Expert Comment

by:DrDave242
ID: 39192927
Do you have numerous outgoing mail servers?  I'm asking because this is a fairly colossal SPF record:
"v=spf1 a mx ip4:<our WAN IP> ip4:<out 2nd WAN IP> include:company1.com.au include:company2.com redirect=spf.company3.net.au ~all"
At the very least, it could probably be made significantly more efficient.
0
 
LVL 2

Author Comment

by:goraek
ID: 39196701
We've got one mail server - however because we have 2 internet links, we want to add all into our SPF in case one of them fails to work, hence the 2 WAN IPS we added.

Its working for us, and no problems whatsoever.
0
 
LVL 2

Accepted Solution

by:
goraek earned 0 total points
ID: 39199952
We've used kitterman, its all good now. Just had to confirm how to use it.
0
 
LVL 2

Author Closing Comment

by:goraek
ID: 39212599
Researched myself
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now