Solved

Do I put an SPF record on my exchange server's DNS or with my host's DNS records?

Posted on 2014-04-11
17
962 Views
Last Modified: 2014-04-11
I'm starting to get a lot of spoof and spam email through our ForeFront Filter. I'm pretty new as an exchange admin but I'm all we have...my research shows that I would bennifit from an SPF record and I've found a few wizards to create them.

Can someone recommend the best way to get one created properly and tell me how to install it? Does it go on my exchange server or with my host records? Maybe something I do via my ISP?

Thanks for the help!
0
Comment
Question by:Ryan Gates
  • 10
  • 7
17 Comments
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 39995020
You add it with your Hosts DNS records, not locally.  The world needs to query it, not your computers internally.

You can build your SPF record here:

https://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/

and test what would happen here:

http://www.kitterman.com/spf/validate.html

Adding your SPF record is as simple as copying / pasting the output from the Microsoft site into a TXT record in your hosts DNS records.

Alan
0
 

Author Comment

by:Ryan Gates
ID: 39995046
Thanks, Alan...I'll give that a whirl and report back. I appreciate the links!

I'm brand new here after finally listening to a tech buddy of mine that has said great things about this site for years.

I'm having a big problem on my network now. I just registered this morning and posted a harder question about 3 hours ago and haven't seen a single comment yet...any chance you could look at it for me or recommend a way to get eyes on it?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39995062
You are welcome. Shout if you need any more help.

I'll just take a look at your other question and if I can't help, I'll see if I can find someone who can.

BRB.

Alan
0
 

Author Comment

by:Ryan Gates
ID: 39995113
I had to take a phone call...just seeing your response....thank you, thank you, thank you! I'm going to look at my other post and see if anything's happened there. Thanks again.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39995116
My pleasure.  Fingers crossed I'll get you all sorted asap.

Alan
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 500 total points
ID: 39995215
Okay - I am seeing an SPF record for your domain at the moment, but it doesn't reflect your current IP Address!

What you currently have is:

v=spf1 ip4:66.96.128.0/18 ?all

Testing that on the Kitterman site returns the following:

Mail sent from this IP address: 173.xxx.xxx.202
Mail from (Sender): you@yourdomain.com
Mail checked using this SPF policy: v=spf1 ip4:66.96.128.0/18 ?all
Results - neutral access neither permitted nor denied

So basically your current SPF record is of little use.  A better one would be:

v=spf1 mx -all

This gives the following result:

Mail sent from this IP address: 173.xxx.xxx.202
Mail from (Sender): you@yourdomain.com
Mail checked using this SPF policy: v=spf1 mx -all
Results - PASS sender SPF authorized

Alan
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 500 total points
ID: 39995238
Just thinking - the above SPF (v=spf1 mx -all) is fine unless you are sending emails out from another host or hosts from the 66.96.128.0/18 IP Addresses, in which case add the following SPF record:

v=spf1 mx ip4:66.96.128.0/18 -all
0
 

Author Comment

by:Ryan Gates
ID: 39995243
Okay, I'm hosted by iPage and was using their mail service for a trial period and using IMAP for all my users.

The 66.96.128.0/18 addresses are from the iPage mail service which we are no longer using.

Currently, we only send from our domain with our own server....should I just copy and paste your first SPF record to my host DNS profile or should I use the link to have MS create one for me as you suggested earlier?
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 500 total points
ID: 39995247
Just copy / paste my v=spf1 mx -all record and you will be fine.

Alan
0
 

Author Comment

by:Ryan Gates
ID: 39995267
Thanks....and I assume that I remove the old one (v=spf1 ip4:66.96.128.0/18 ?all) , this new one is NOT in addition to it, correct?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39995284
Correct - remove the current one and add the new one or overwrite the current one with the new one.
0
 

Author Comment

by:Ryan Gates
ID: 39995295
It's done....if you care to spend the time...could you please explain what that does for me? What that record means?

Is there anything more I can do on my local server, besides filtering with Forefront, that will help with the spoof and spam?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39995306
Sure - it basically tells the world that the only mail servers permitted to send mail on behalf of your domain are the same as your inbound mail servers.  If anything else tries to send mail claiming to be your domain, treat it as a spammer and reject it.

SPF is a tool to help you protect your domain so that when you send emails out - the receiving end can verify you are who you say you are and it should reduce (not eliminate - not everyone checks for an SPF record) the amount of mail being sent out pretending to come from your domain (spoofed mail).

In terms of tweaking anything local - it really depends on what you currently have configured as to what you may  may not need to do to reduce spam.  Personally I don't use / like Forefront, (I prefer Vamsoft ORF Fusion because it can be easily configured, it does a damn good job and it is well priced - Looking through the logs and sorting is also very easy), so I can't recommend the best practise ways to reduce mail specifically, but using some good IP Blacklists such as the Barracuda Block List would be helpful if you aren't already using an IP Address Blacklist.
0
 

Author Comment

by:Ryan Gates
ID: 39995329
Thanks....I appreciate all the help....I really, really do!

I'm using Forefront because I already had a copy of it on hand. I'm not sure how good/bad or user friendly it is compared to other products because I'm super new to the exchange environment (completely self taught) and I have no experience with any other products. I'm going to look at the product you mentioned.

I set FF up just as it comes right out of the box and subscribed to all the filters it comes with in it's stock form. Is there some way to subscribe to additional filters like the Barracuda Block List, if it isn't there by default already?

Is it appropriate to be discussing this here or am I too far off on a tangent from the OP Question?

Lastly, is it recommended that I mark this "answered" and award points now that I've updated my SPF record according to your recommend or should I wait for positive results and return in a few days to close this post?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39995357
I don't know it well enough to comment as I've never used it in anger.  I have used the built-in Exchange tools for a few months, but that was not a good experience.

Technically you should stick to the topic of the question on EE otherwise the question can get very diluted and it doesn't help anyone much in the years to come when they search and find a question about one thing and it then veers off on a tangent.

My recommendation on awarding points is to only award them as and when you feel you have had the question answered and if relevant, verified that the advice you have been given is good advice.  Some 'Experts' (I use the term loosely) try to encourage you to award points for just turning up and linking you to something they googled - don't be railroaded into closing a question down by them until you are 100% happy.

Alan
0
 

Author Comment

by:Ryan Gates
ID: 39995365
Thank you for the help...I'm very happy with the solution here....I asked in my post if the SPF installs locally or with my host DNS info....you answered that and went above and beyond to help me with creating one and getting it working. Having positive results on my MX environment isn't really related so I'm going to close the post. I look forward to your help on my other current and future posts. Thanks again.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39995368
Perfect - happy to have helped.  See you in the future!!

Alan
0

Featured Post

Free book by J.Peter Bruzzese, Microsoft MVP

Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now