Solved

exchange 123reg spf query

Posted on 2014-03-20
15
405 Views
Last Modified: 2014-11-12
hi I currently have a win 2003 domain local network and have exchange 2003 locally also.

note: I will eventually be upgrading to win 2008 but as I am more familiar with the above this is why I just wish to get this last task done.

I have in the passed configured my local exchange 2003 server and have sent an email outbound via my xp office 2003/outlook successfully and received a response back
to my xp outlook 2003 account successfully....this was done by adding dns records in my 123regdns, but after 1 or 2 emails the emails got caught in the (rbl) list... but in order to test as I wanted just to send 1 or 2 email outbound/inbound this was fine..!  I was told that if it get caught in the RBL list I should leave it 24 - 48 hrs, before I attempt to send 1 or 2 more emails and that way it gives me peace of mind my configurations are correct while training.  this was a couple of years ago..

I have now returned and wishing to repeat the same process and now advised that I should do exactly what I did before, but within my 123regdns I should also complete the wizard for spf records but I am not sure what I should add in there and was hoping someone may have that specific practical knowledge to advise as if I make a mistake, it will get caught in the RBL list and I will have to wait at least 24 - 48 hrs to then try and send 1 or 2 emails only so I wish to get at least my 123regdns/spf records exactly right:

I have attached a screen shot of the wizard
123REG-SPF-record-wizard.docx
0
Comment
Question by:mikey250
  • 8
  • 7
15 Comments
 
LVL 25

Accepted Solution

by:
Squinky earned 500 total points
ID: 39942254
v=spf1 mx ptr ip4:82.35.157.168 mx:mail.msexchange.co.uk +all

Open in new window

That's not a good SPF. There's a bit of confusion between mfexchange.co.uk and msexchange.co.uk - both seem to use msexchange.co.uk for MX records, but at 'mail' and 'mailserver' hostnames. Here's an improvement:
v=spf1 ip4:82.35.157.168 mx ~all

Open in new window

ip4s require no lookups so are fastest to resolve, so they should go first. mail.msexchange.co.uk is already in your mx records, so no need to add it explicitly. You most probably don't need 'ptr' (mail servers should resolve both ways). The ~all default is safe - it won't return any failures, but it will give softfails, which is more useful than giving everything a pass. Ideally you wan to aim for -all.

SPF failures should not get you in an RBL, they will just result in bounces, but only if they actually fail - the record in your doc will never fail because it ends in +all, so it's entirely useless as an anti-forgery measure. If you are ending up in an RBL, it's not because of your SPF, it's more likely to be because you're on 123.

One extra bit of advice: ditch 123reg as quickly as you can. In my experience they are a bunch of clueless, incompetent bottom-feeders. I recommend gandi.net for all things DNS, but pretty much anyone will be an improvement over 123.

When posting pics, can you just attach the pics directly, not in a Word file? Reduces reading hassle...
0
 

Author Comment

by:mikey250
ID: 39942277
hi it is: msexchange.co.uk - apologies.

123reg - yes I agree "bunch of clueless, incompetent bottom feeders"

just for the time being will adding the below work  ?

v=spf1 ip4: 82.35.157.168 mx - all

or

v=spf1 ip4: 82.35.157.168 mx ~ all
0
 
LVL 25

Assisted Solution

by:Squinky
Squinky earned 500 total points
ID: 39942300
If it is msexchange, then the mx clause will need adding in because your DNS only has mailserver.msexchange.co.uk listed as an mx, and if you really do also have mail handled by mail.msexchange.co.uk, then add it back in.

If you're not 100% sure of your mail sources, use ~all, not -all (and watch out for the extra spaces you added).

So try this:

v=spf1 ip4:82.35.157.168 mx:mail.msexchange.co.uk mx ~all

I put the additional mx before the plain mx since it requires one less lookup for a receiver.
0
 

Author Comment

by:mikey250
ID: 39942312
hi, just to confirm,

note: I do not use any mail services with 123reg, as I have my own local exchange 2003 server at home and use 123reg to allow inbound/outbound of my email to anyone on the world wide web to send/receive also, which is what I require. or even yahoo or gmail for example or companies.

my local domain is: itsolutions.local - my 123regdns points to my firewall external nic card.  the reason I ask is so you realise my my local domain and external domain are different.

otherwise in the passed I was told to do the following or something similar:

itsolutions.local
itsolutions.co.uk
0
 
LVL 25

Assisted Solution

by:Squinky
Squinky earned 500 total points
ID: 39942411
The main thing with SPF is to think about it from the receiver's point of view - they get a connection from some IP address and a MAIL FROM SMTP command. At this point they can look up your SPF from the source address and compare the inbound IP with what your SPF allows. If it's a match, great, otherwise it depends on your default action policy set with the 'all' clause.

Your .local domain is invisible to the outside world, and you'd generally allow from that source using relay permission (not sure how you'd do that in Exchange); there's no point in looking up a private IP in SPF. Short version - only worry about your external address in your SPF.
0
 

Author Comment

by:mikey250
ID: 39942523
hi,

"your .local domain is invisible to the outside world, and you'd generally allow from that source using relay permission ."

- I have read about 'relay & connectors' but I do not understand when to use or not use in what scenario, as trying to learn basics in order to progress to properly understand those.

" (not sure how you'd do that in exchange)"

- i can accept that I might not be able to receive or send emails from my yahoo or gmail according to previous conversation forums a year ago if that is what you mean


so hopefully I will be able to send and email to a friend at work and him reply back, just like I did before assuming that their email exchange administrator has not blocked this feature, as he did receive email from my before and replied back but it would only allow once.

yes I realise my private ip address is hidden from the outside world, as just letting you know my setup.

I have now added the below in my 123regdns

v=spf1 ip4:82.35.157.168 mx:mail.msexchange.co.uk mx ~all

as of tomorrow I will install and configure exchange 2003 as usual and send an email from my xp outlook 2003 to a friend at work, in the hope that he may receive and can reply back.
0
 
LVL 25

Expert Comment

by:Squinky
ID: 39942538
If you want to send from gmail, you can always add them to your SPF. After the 'mx' add this:

include:_spf.google.com

Yahoo is a bit more difficult since they don't do SPF - you need to sign with DKIM instead which is a lot more complicated.
0
Wish Marketing would stop bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

 

Author Comment

by:mikey250
ID: 39942556
regarding my last comments:

because my previous email sent from my xp outlook 2003 sent to my friend at work and he replied back only once, before got stopped by this (rbl list), I do not properly understand what this spf does, although yes I have read about it.

ok so for google something like the below as I have never ever done this before:


v=spf1 ip4:82.35.157.168 mx:_spf.google.com mx ~all

or

v=_spf.google.com

I have never heard of: dkim
0
 
LVL 25

Assisted Solution

by:Squinky
Squinky earned 500 total points
ID: 39942628
No, like this:

v=spf1 ip4:82.35.157.168 mx:mail.msexchange.co.uk mx include:_spf.google.com ~all

I really doubt RBL listing is anything to do with SPF. Do you have more details of this?

SPF is an anti-forgery system that restricts the sources of email for a domain. DKIM is a cryptographic signature system that guarantees that a message a) was sent from you and b) has not been tampered with in transit. DKIM and SPF together are a fairly effective anti-forgery system. There is also DMARC, which defines a notification mechanism so that you can be notified when failures occur.
0
 

Author Comment

by:mikey250
ID: 39942802
hi, I was just told that, as I currently have a residential internet access, and my isp does not have any rdns entry for me, then my emails will eventually end up in the rbl list, but yes maybe able to send 1 or 2 emails, but would have to wait 24 - 48 hrs before sending another email to confirm my configurations are ok.

then once I knew what I was doing I could then locate an isp that provides allows me to send/receive emails externally with no hassles.

note: originally I was advised setting up a 123regdns pointing to my xxx.local network was a way to do this albeit not the ideal way....and then later 123reg stated that I would also need to add an: spf record, which you have provided some education.

......but when I was successful in sending/receiving an email to a friend at his work place but only 1 or 2 and no more, I was just told that due to my friends company exchange server being configured to probably stop domains not allowed was the reason.

I have never heard of: dkim and spf working together
0
 
LVL 25

Assisted Solution

by:Squinky
Squinky earned 500 total points
ID: 39942946
Ah, in that case it's probably an RBL like this one. rdns probably won't help much, you're just stuck with being in their IP blocks, and SPF probably won't help at all. You will usually be allowed outbound SMTP using TLS on port 587, and that works nicely with services like gmail (or even your ISP's mail server) directly from client apps. You might be able to set up your ISP's mail server as a relay, but it also rather defeats the point of running your own mail server.
0
 

Author Comment

by:mikey250
ID: 39942985
I just wanted to send 1 or 2 emails like before just to confirm my configurations are correct.

and then understand more about exchange on a day to day basis, ie the maintenance side of things when users do not receive their emails or whatever.

that's it.  so I am hoping tomorrow when I install exchange 2003 like before as I have already configured firewall for inbound/outbound connectivity that my email sent from xp outlook 2003 will work and be able to get a reply back before the rbl starts  & then leave for 24-48 hrs and then try again just to confirm.  that's my plan like before, but at that time I did not know what I knew now as attempted to send a 3rd and 4th email and more but they were stuck in my exchange server.

ive never used port: 587 - so I am not sure if that port also works.
0
 
LVL 25

Assisted Solution

by:Squinky
Squinky earned 500 total points
ID: 39943093
I would expect the RBL to be active all the time, so I don't think you're likely to have much luck. It's set up that way because you're expected to use your ISP's mail server for outbound mail - direct sending from dynamic IPs is exactly what zombie botnets live on, which is why they are usually blocked this way, and you may find your ISP has firewall egress rules to interfere with it too, so you can be blocked from sending, and also blocked at the receiving end too.

SMTP on port 587 is defined in RFC 4409/6409 and is used for submitting new messages to a mail server from outlook etc, but you may be able to get away with using it to connect to a relay from your mail server too.

If you just want to play with an exchange server for practice, you should perhaps look at using something like AWS, which has support for exchange, and it's even possible to use your own license: http://aws.amazon.com/windows/exchange/
0
 

Author Comment

by:mikey250
ID: 39958582
morning squinky,

your comments:

"it's set up that way because you're expected to use your isp's mail server for outbound mail "

my comments:

I always assumed using a 3rd party service such as 123reg for example was a way around this by configuring 123reg/dns to point to my .local domain, when having my (own exchange server)  ?

note: I have configured inbound/outbound smtp via my isa 2006 firewall, so when you say 'firewall egress rules' I assume you mean at the isp end.

your comments:

"smtp on port 587 is defined in rfc 4409/6409 and is used for submitting new messages to a mail server from outlook etc but you may be able to get away with using it to connect to a relay from your mail server too"

your comments:

"regarding port 587 above, you mention about connect to a relay from your mail server too"

my comments:

I have read about 'mail relay' but did not properly understand why you suggest above  ?
0
 

Author Closing Comment

by:mikey250
ID: 40061379
although I still had issues with send email outbound I am going to allocate the points due to another inbound issue I had spotted but was not able to resolve as that was an issue I was not able to resolve in order to confirm this advice above.  however the advice is good.

appreciated.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
exchange, mailbox 4 19
Mysql Crashing Intermittently 16 39
SSH connect to Amazon Centos Instance 7 12
cached or not 5 39
Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now