Solved

How to test SPF - From Field

Posted on 2013-05-21
10
448 Views
Last Modified: 2013-06-01
Hi All,

We have added SPF TXT and its been validated successfully. However, how do we test if it accepts the sender's domain?

We tried testing by going into Outlook and enter our client's email address in the From field, but it returns we do not have permission to send.

Any ideas?
0
Comment
Question by:goraek
10 Comments
 
LVL 17

Expert Comment

by:TimotiSt
ID: 39187721
SPF supports "softfail", which usually results in a warning but no spam score on filters.

For testing, you'll need a recipient account that has SPF filtering, Gmail is one such thing.
So if you send an email to your gmail address, and check the full headers of that email, you'll see something like:
Received-SPF: pass (google.com: domain of SEMA-CR-3-3UP7Q5G@bounce.oracle-mail.com designates 141.146.5.61 as permitted sender) client-ip=141.146.5.61;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of SEMA-CR-3-3UP7Q5G@bounce.oracle-mail.com designates 141.146.5.61 as permitted sender) smtp.mail=SEMA-CR-3-3UP7Q5G@bounce.oracle-mail.com

Open in new window

The above example shows an email from oracle to gmail; it shows that the SPF record checks out fine.
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 39187884
You can also use online tools to test your SPF records. I use

http://mxtoolbox.com/SuperTool.aspx

It has worked well for me in the past
0
 
LVL 76

Expert Comment

by:arnold
ID: 39188627
What is it you are trying to test.  The test is to use an unauthorized mail server to send the message through.
i.e. within SPF record you have an A, MX, PTR records that represent the servers/domains from which a mailing from a sender on this domain is authorized.

Now when you send a test message using a sender of that domain through a different server. The receiving mail server:
First, must have SPF validation functionality enabled
Second, this server's configuration of SPF handling whether it is strict and relies on the SPF record for the sender's domain or whether it merely uses that information as input to "spam" consideration, you would only know when the message is bounced.
0
 
LVL 2

Author Comment

by:goraek
ID: 39189528
We have added the SPF TXT and it validates it ok. However for us to know if it's working, we need to test. This is an example what we have added into the DNS TXT record:

"v=spf1 a mx ip4:<our WAN IP> ip4:<out 2nd WAN IP> include:company1.com.au include:company2.com redirect=spf.company3.net.au ~all"

When we did a test from our WAN IPs, it works successfully, but how do we test with others as they do not have an IP for us to use.

Any ideas?
0
 
LVL 76

Expert Comment

by:arnold
ID: 39189773
SPF is not an absolute.

You can use any external/remote IP and send an email directly to your server I.e. user@yourdomain to user@yourdomain

I think you might be user the wrong impression on what SPF can do.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 2

Author Comment

by:goraek
ID: 39189883
SPF authorises the sender's mail server.
We have added our IPs and others as well.
If anyone is trying to send an email on behalf of our domain and its not in the SPF record, this will fail.

Anyway, I've got it going and its appearing to be operational.
We've tested from others (not authorised) and its failing, other-hand for authorised its working.
0
 
LVL 25

Expert Comment

by:DrDave242
ID: 39192927
Do you have numerous outgoing mail servers?  I'm asking because this is a fairly colossal SPF record:
"v=spf1 a mx ip4:<our WAN IP> ip4:<out 2nd WAN IP> include:company1.com.au include:company2.com redirect=spf.company3.net.au ~all"
At the very least, it could probably be made significantly more efficient.
0
 
LVL 2

Author Comment

by:goraek
ID: 39196701
We've got one mail server - however because we have 2 internet links, we want to add all into our SPF in case one of them fails to work, hence the 2 WAN IPS we added.

Its working for us, and no problems whatsoever.
0
 
LVL 2

Accepted Solution

by:
goraek earned 0 total points
ID: 39199952
We've used kitterman, its all good now. Just had to confirm how to use it.
0
 
LVL 2

Author Closing Comment

by:goraek
ID: 39212599
Researched myself
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now