Solved

SPF record creation

Posted on 2014-04-30
9
1,298 Views
Last Modified: 2014-05-01
Afternoon All,
    I have server 2008 managing DNS for over 100 external facing website. I need to ensure that the SPF records are setup correct as i am getting conflicting results from MX Toolbox.

Kitterman is coming back without errors (see attached)
XMToolbox is throwing the attached error

the info from MXToolbox is as follows:
Note: Using TXT records to contain SPF information was designed as a transitional mechanism as some servers and clients did not support the new SPF record type. It is best practice to publish your SPF record via DNS as both a SPF record and and TXT record. When you do this, they MUST match exactly in accordance with RFC 4408 section 3.1.1.

I have used the text file to create the SPF record, whats the difference

im running server 2008 r2 to manage the DNS

Thanks
kitterman.png
SPF-error.png
0
Comment
Question by:ncomper
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 25

Accepted Solution

by:
Marcus Bointon earned 500 total points
ID: 40032273
There is no difference in format, just put the same data in both. That said, while SPF-type records were a recommendation in the original RFC4408, they saw little use and were thus deprecated in RFC4408bis, and removed in the newly ratified RFC7208.

In short, you don't need to use SPF type records any more, just TXT is fine. Mxtoolbox is wrong.
0
 
LVL 5

Author Comment

by:ncomper
ID: 40032381
The attached is a shot of the SPF in place, the Top v=spf is what i know as a default record created in DNS, the 2nd spf2 is my attempt to understand the information gathered earlier.

Can you please confirm the origional spf in place looks correct for me.

Thanks
spf.png
0
 
LVL 25

Expert Comment

by:Marcus Bointon
ID: 40032406
Don't bother with spf2 - that's SenderID and nobody is using it any more, not even Microsoft. I can't tell you if your original SPF is any good because that screen shot is largely illegible and truncated.
0
What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

 
LVL 25

Assisted Solution

by:Marcus Bointon
Marcus Bointon earned 500 total points
ID: 40032414
Incidentally I recommend dmarcian.com's SPF Surveyor for checking SPF, DKIM and DMARC.
0
 
LVL 5

Author Comment

by:ncomper
ID: 40034149
Thanks Squinky, ill review the tool. As you can imagine posting all my External IP addresses in the image would not be the best idea on a public forum. but below is a copy of the record with addresses substituted

v=spf1 ip4:204.XXX.X.XXX/27 ip4:198.XXX.XXX.XXX/27 ip4:38.XX.XX.XX/27 ip4:XXX.XXX.XXX.X/27 ip4:XX.XX.XX.X/24 include:eu._netblocks.mimecast.com include:us._netblocks.mimecast.com include:za._netblocks.mimecast.com ~all
0
 
LVL 25

Expert Comment

by:Marcus Bointon
ID: 40034153
That looks fine.
0
 
LVL 5

Author Comment

by:ncomper
ID: 40034201
Sorry to keep pushing on this....

On checking with the Dmarcian i receive the following:

DNS-querying mechanisms/modifiers:

"The SPF record authorizes 28 individual netblocks using 3 DNS-querying mechanisms/modifiers. The maximum number of DNS-querying mechanisms/modifiers is 10.

This record utilizes a small number of DNS-querying mechanisms/modifiers. No fixing is required. If this record is meant to be included by other records, consider reducing the number of DNS-querying mechanisms/modifiers (if possible) to keep total resource consumption low."

From the above can i report back that this should work within the boundary's of SPF records without issues?

Thanks,
0
 
LVL 25

Expert Comment

by:Marcus Bointon
ID: 40034554
Yes.
0
 
LVL 5

Author Closing Comment

by:ncomper
ID: 40034576
Managed to resolve
0

Featured Post

Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question