[Webinar] Streamline your web hosting managementRegister Today

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1136
  • Last Modified:

SPF record. Cisco Ironport. Office 365 Hybrid

Hi All

Please can someone assist me in creating a SPF record for my domain, ttaf.co.za.

I am running a hybrid environment. All email gets enters my org through my IronPort cluster however sending email is different.

On prem users route their email through my IronPorts. My O365 users send mail directly to the internet.

My MX records are and 79.

This is what i got so far using http://www.spfwizard.net/

ttaf.co.za.  IN TXT "v=spf1 mx a ip4: a:spf.protection.outlook.com include:ttafcoza.onmicrosoft.com -all"

is that correct?
  • 8
  • 5
5 Solutions
Vasil Michev (MVP)Commented:
No, something like this:

ttaf.co.za.  IN TXT "v=spf1 ip4: include:spf.protection.outlook.com -all"

Open in new window

You dont need the MX and A clauses, the include clause needs to be for spf.protection.outlook.com, and you dont need to list anythin else.
TTAF4Author Commented:
Why dont I need the MX and A clause? Sorry I'm new to this...
Vasil Michev (MVP)Commented:
Because the MX points to the same IP range, and you're not going to be sending via any other on-prem servers/IPs. You can leave them if it makes you feel safer :)
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

TTAF4Author Commented:
ok thanks man, After I add the SPF records what are the next steps?
Vasil Michev (MVP)Commented:
Next steps for what?
TTAF4Author Commented:
Thanks for all your help thus far. Much appreciated. I have added the SPF entry to my DNS records. It appears to be working but i noticed some of the checks fail along the way. See attached.

Vasil Michev (MVP)Commented:
Well your HELO string is referencing the .local domain, and your internal IP addresses. That shouldnt be a problem though, as it's generated at your local servers. The important check, performed by gmail servers, is OK.

Simply configure the IronPort to trust the local senders or disable the SPF check there.
TTAF4Author Commented:
How do I correct the HELO string?  Also how do I configure the IronPort to trust the local sender?

Sorry for so many questions. I really appreciate the help.
TTAF4Author Commented:
Now I am getting this:

From: Mail Delivery System [mailto:Mailer-Daemon@scorn.aserv.co.za]
Sent: Wed, August 24, 2016 10:05 PM
To: Agent Navz
Subject: Undeliverable: 2204

Delivery has failed to these recipients or groups:
A problem occurred during the delivery of this message to this e-mail address. Try sending this message again. If the problem continues, please contact your helpdesk.

Diagnostic information for administrators:
Generating server: scorn.aserv.co.za
#< #5.0.0> #SMTP#
Original message headers:
Return-Path: <Agent.Navz@ttaf.co.za>
Received: from spe6.ucebox.co.za ([]:39014)   by
 scorn.aserv.co.za with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)    (Exim
 4.87)  (envelope-from <Agent.Navz@ttaf.co.za>)       id 1bcePi-0007e9-Vn    for
 admin@cesco.co.za; Wed, 24 Aug 2016 22:04:42 +0200
Received: from ttaf-ironport2.ttaf.co.za ([]
 helo=is-ironport-02.ttaf.co.za)      by spe6.ucebox.co.za with esmtp (Exim 4.85)
        (envelope-from <Agent.Navz@ttaf.co.za>)       id 1bcePg-0006IG-44    for
 admin@cesco.co.za; Wed, 24 Aug 2016 22:04:44 +0200
Authentication-Results: is-ironport-02.ttaf.co.za; spf=Fail smtp.mailfrom=Agent.Navz@ttaf.co.za; spf=None smtp.helo=postmaster@ttafdatvxmr1.ttaf.local
Received-SPF: Fail (is-ironport-02.ttaf.co.za: domain of
  Agent.Navz@ttaf.co.za does not designate as
  permitted sender) identity=mailfrom; client-ip=;
  x-sender="Agent.Navz@ttaf.co.za"; x-conformance=spf_only;
Received-SPF: None (is-ironport-02.ttaf.co.za: no sender
  authenticity information available from domain of
  postmaster@ttafdatvxmr1.ttaf.local) identity=helo;
  client-ip=; receiver=is-ironport-02.ttaf.co.za;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A2BiBQAe/b1X/1QQCgpcgnYzAQEBAQFnD?=
X-IPAS-Result: =?us-ascii?q?A2BiBQAe/b1X/1QQCgpcgnYzAQEBAQFnDYEDhxiybYYdAiK?=
X-IronPort-AV: E=Sophos;i="5.28,572,1464645600";
Received: from unknown (HELO ttafdatvxmr1.ttaf.local) ([])  by
 is-ironport-02.ttaf.co.za with ESMTP; 24 Aug 2016 22:04:38 +0200
Received: from TTAFDBNVXMR1.ttaf.local ( by
 TTAFDATVXMR1.ttaf.local ( with Microsoft SMTP Server (TLS) id; Wed, 24 Aug 2016 22:04:38 +0200
Received: from TTAFDBNVXMR1.ttaf.local ([]) by
 TTAFDBNVXMR1.ttaf.local ([]) with mapi id 14.03.0266.001; Wed, 24
 Aug 2016 22:04:37 +0200
From: Agent Navz <Agent.Navz@ttaf.co.za>
To: "admin@cesco.co.za" <admin@cesco.co.za>
Subject: 2204
Thread-Topic: 2204
Thread-Index: AdH+QrwmoBzpFLKNTSqJfCMm4O8R2w==
Date: Wed, 24 Aug 2016 20:04:36 +0000
Message-ID: <D10A8E561117C84C8DA2FEEA1252147223ECAE3D@TTAFDBNVXMR1.ttaf.local>
Accept-Language: en-ZA, en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative;
MIME-Version: 1.0
Received-SPF: pass (spe6.ucebox.co.za: domain of ttaf.co.za designates as permitted sender) client-ip=; envelope-from=Agent.Navz@ttaf.co.za; helo=is-ironport-02.ttaf.co.za;
X-SPF-Result: spe6.ucebox.co.za: domain of ttaf.co.za designates as permitted sender
X-Filter-ID: s0sct1PQhAABKnZB5plbIfTMHwIoCPwkEUxWhAsHA3yXqSIHh/mdku6BgfhnCb1xWywi3RPeT3mN
X-Report-Abuse-To: spam@spe1.ucebox.co.za
Authentication-Results: ucebox.co.za; spf=pass smtp.mailfrom=Agent.Navz@ttaf.co.za
X-Afrihost-Class: ham
X-Afrihost-Evidence: Combined (0.15)
X-Recommended-Action: accept
TTAF4Author Commented:
Should perhaps add my internal domain name to SPF record??

TTAF4Author Commented:
this is weird. the email went through even thou i got a failure  message

Vasil Michev (MVP)Commented:
No, you should not add your local address to the SPF, as ANYONE can use that value. It's exactly the opposite of what the SPF is intended for.
TTAF4Author Commented:
Thank you so much for your help.

Featured Post

Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

  • 8
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now