Solved

How do I add a domain to my SPF record to only allow them to send from one mailbox account?

Posted on 2014-11-11
8
203 Views
Last Modified: 2014-11-15
I have been asked by a company to configure my SPF record (presumably done through my mail host site i.e. names.co.uk) to allow their domain the ability to send-as on one of our mailboxes.  Their request appears to grant them the ability to send-as on any of our mailboxes, is this the case?  I am not sure how they can only have access to that particular e-mail address e.g. customerservice@mydomain.com.

Thanks
0
Comment
Question by:fuzzyfreak
  • 4
  • 3
8 Comments
 
LVL 26

Expert Comment

by:Dan McFadden
ID: 40434742
SPF has nothing to do with mailboxes.  It is a special DNS record that tells other mail servers, that are SPF aware, what servers are authorized to send emails for specific DNS domains.

Info about SPF:
1. http://www.openspf.org/Project_Overview
2. http://en.wikipedia.org/wiki/Sender_Policy_Framework

If you want to create a SPF record for a domain, you could use the following online wizards to help you create a properly formatted DNS record:

1. http://www.spfwizard.net/
2. http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/
 
Dan
0
 
LVL 26

Expert Comment

by:Dan McFadden
ID: 40434751
You can test out your SPF record using this online tool:

http://mxtoolbox.com/spf.aspx

Dan
0
 
LVL 4

Author Comment

by:fuzzyfreak
ID: 40435039
Thanks Dan, so in answer to my question "Their request appears to grant them the ability to send-as on any of our mailboxes, is this the case?"
0
 
LVL 26

Accepted Solution

by:
Dan McFadden earned 400 total points
ID: 40435186
No.  SPF helps prevent spoofing and forging of emails for a given DNS domain.  

It would be better to think of it as giving permission to send emails with your domain attached from their server(s).  Nothing to do with mailboxes.  SPF does not grant them access to mailboxes on your servers.  They could just create any number of email addresses they wanted... none of which would have to be related to an actual mailbox on your servers.

To quote Wikipedia:


SPF allows the owner of an Internet domain to specify which computers are authorized to send mail with sender addresses in that domain, using Domain Name System (DNS) records. Receivers verifying the SPF information in TXT records may reject messages from unauthorized sources before receiving the body of the message. Thus, the principles of operation are similar to those of DNS-based blackhole lists (DNSBL), except that SPF uses the authority delegation scheme of the Domain Name System.

What implementing SPF does is tell other mail servers that the mail servers listed in this special DNS record are allowed to be a source for emails originating from the DNS domain in question.  There is no user level authorization going on here.  This is at the server level communication... SMTP and DNS.

Someone would still need a mechanism to actually create these emails and send them through a server included the SPF record for the domain in question.  Realizing the source server may not (most likely will not) be a server your company controls.

If you already have an SPF record in place, you will need to add this other server to your record.  You are essentially granting this third party to right to forge emails to look like they are coming from your messaging system when they coming from a different messaging system.

SPF is not like granting someone "Send As" permission in Outlook on an Exchange Mailbox.

Dan
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 4

Author Comment

by:fuzzyfreak
ID: 40435238
Yes, sorry Dan I get that and realise my question should have been rephrased to avoid any mention of mailboxes, however your answer has made it even more clear to me and I appreciate the comprehensive clarification.
What I really wanted to know was, could this be open to abuse? - I am effectively giving this company permission to send through my DNS and look like it is coming from us - I guess it raised my sysadmin alarm bells and wondered if I could put something in place to only allow them to send e-mails that match customerservice@mydomain.com - which, I am assuming will not be possible.
0
 
LVL 6

Assisted Solution

by:Asif Bacchus
Asif Bacchus earned 100 total points
ID: 40436671
Dan has given you an excellent explanation of how SPF works and it's all very good reading.  To answer your question succinctly however, no you cannot bind an SPF entry to one mailbox/address.  SPF applies to entire domains (or subdomains) and lists allowed servers, hostnames and IP addresses for that entire domain.  

Therefore, if you add your client's mailserver as a permitted sender for mydomain.com then you are saying that they are a valid sender for any address at mydomain.com regardless of the specific address/mailbox.

HTH
0
 
LVL 26

Expert Comment

by:Dan McFadden
ID: 40436801
What I really wanted to know was, could this be open to abuse?
- theoretically yes, it could be abused.  Since this is a third party, who know what goes on in/on their servers.  There could be any number of things that could allow something to go wrong.  Hardware issues, software issues or misconfigurations... and let's no forget the people managing those servers or the people using.

wondered if I could put something in place to only allow them to send e-mails that match customerservice@mydomain.com
- see question 4 below.

My questions are:
1. why was this requested?
2. for what purpose will it be utilized?
3. is this an IT use or a Business use case?
4. could you give them an account on your mail server and grant them secure access to it? (think Exchange and OWA)
4a. would this solve the use case?

Dan
0
 
LVL 4

Author Closing Comment

by:fuzzyfreak
ID: 40444747
Excellent and comprehensive answers to my questions.
0

Featured Post

Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Automapping, a wonderful feature with Exchange 2010 (SP2 onwards I believe), allows additional/Shared mailboxes that a user has access to be automatically mapped on Outlook client, simplifying the process by adding them while Outlook launches. Ho…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Familiarize people with the process of utilizing SQL Server functions from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Microsoft Ac…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now