Solved

SPF record. Cisco Ironport. Office 365 Hybrid

Posted on 2016-08-23
13
110 Views
Last Modified: 2016-08-26
Hi All

Please can someone assist me in creating a SPF record for my domain, ttaf.co.za.

I am running a hybrid environment. All email gets enters my org through my IronPort cluster however sending email is different.

On prem users route their email through my IronPorts. My O365 users send mail directly to the internet.

My MX records are 196.34.160.78 and 79.

This is what i got so far using http://www.spfwizard.net/

ttaf.co.za.  IN TXT "v=spf1 mx a ip4:196.34.160.78/31 a:spf.protection.outlook.com include:ttafcoza.onmicrosoft.com -all"

is that correct?
0
Comment
Question by:TTAF4
  • 8
  • 5
13 Comments
 
LVL 38

Accepted Solution

by:
Vasil Michev (MVP) earned 500 total points
Comment Utility
No, something like this:

ttaf.co.za.  IN TXT "v=spf1 ip4:196.34.160.78/31 include:spf.protection.outlook.com -all"

Open in new window


You dont need the MX and A clauses, the include clause needs to be for spf.protection.outlook.com, and you dont need to list anythin else.
2
 

Author Comment

by:TTAF4
Comment Utility
Why dont I need the MX and A clause? Sorry I'm new to this...
0
 
LVL 38

Assisted Solution

by:Vasil Michev (MVP)
Vasil Michev (MVP) earned 500 total points
Comment Utility
Because the MX points to the same IP range, and you're not going to be sending via any other on-prem servers/IPs. You can leave them if it makes you feel safer :)
1
 

Author Comment

by:TTAF4
Comment Utility
ok thanks man, After I add the SPF records what are the next steps?
0
 
LVL 38

Assisted Solution

by:Vasil Michev (MVP)
Vasil Michev (MVP) earned 500 total points
Comment Utility
Next steps for what?
0
 

Author Comment

by:TTAF4
Comment Utility
Thanks for all your help thus far. Much appreciated. I have added the SPF entry to my DNS records. It appears to be working but i noticed some of the checks fail along the way. See attached.

2016-08-24-21_04_30-https___mail.goo.png2016-08-24-21_03_58-Message-Details.png
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 38

Assisted Solution

by:Vasil Michev (MVP)
Vasil Michev (MVP) earned 500 total points
Comment Utility
Well your HELO string is referencing the .local domain, and your internal IP addresses. That shouldnt be a problem though, as it's generated at your local servers. The important check, performed by gmail servers, is OK.

Simply configure the IronPort to trust the local senders or disable the SPF check there.
2
 

Author Comment

by:TTAF4
Comment Utility
How do I correct the HELO string?  Also how do I configure the IronPort to trust the local sender?

Sorry for so many questions. I really appreciate the help.
0
 

Author Comment

by:TTAF4
Comment Utility
Now I am getting this:



From: Mail Delivery System [mailto:Mailer-Daemon@scorn.aserv.co.za]
Sent: Wed, August 24, 2016 10:05 PM
To: Agent Navz
Subject: Undeliverable: 2204

Delivery has failed to these recipients or groups:
admin@cesco.co.za
A problem occurred during the delivery of this message to this e-mail address. Try sending this message again. If the problem continues, please contact your helpdesk.




Diagnostic information for administrators:
Generating server: scorn.aserv.co.za
admin@cesco.co.za
#< #5.0.0> #SMTP#
Original message headers:
Return-Path: <Agent.Navz@ttaf.co.za>
Received: from spe6.ucebox.co.za ([197.242.152.135]:39014)   by
 scorn.aserv.co.za with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)    (Exim
 4.87)  (envelope-from <Agent.Navz@ttaf.co.za>)       id 1bcePi-0007e9-Vn    for
 admin@cesco.co.za; Wed, 24 Aug 2016 22:04:42 +0200
Received: from ttaf-ironport2.ttaf.co.za ([196.34.160.66]
 helo=is-ironport-02.ttaf.co.za)      by spe6.ucebox.co.za with esmtp (Exim 4.85)
        (envelope-from <Agent.Navz@ttaf.co.za>)       id 1bcePg-0006IG-44    for
 admin@cesco.co.za; Wed, 24 Aug 2016 22:04:44 +0200
Authentication-Results: is-ironport-02.ttaf.co.za; spf=Fail smtp.mailfrom=Agent.Navz@ttaf.co.za; spf=None smtp.helo=postmaster@ttafdatvxmr1.ttaf.local
Received-SPF: Fail (is-ironport-02.ttaf.co.za: domain of
  Agent.Navz@ttaf.co.za does not designate 10.10.16.84 as
  permitted sender) identity=mailfrom; client-ip=10.10.16.84;
  receiver=is-ironport-02.ttaf.co.za;
  envelope-from="Agent.Navz@ttaf.co.za";
  x-sender="Agent.Navz@ttaf.co.za"; x-conformance=spf_only;
  x-record-type="v=spf1"
Received-SPF: None (is-ironport-02.ttaf.co.za: no sender
  authenticity information available from domain of
  postmaster@ttafdatvxmr1.ttaf.local) identity=helo;
  client-ip=10.10.16.84; receiver=is-ironport-02.ttaf.co.za;
  envelope-from="Agent.Navz@ttaf.co.za";
  x-sender="postmaster@ttafdatvxmr1.ttaf.local";
  x-conformance=spf_only
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A2BiBQAe/b1X/1QQCgpcgnYzAQEBAQFnD?=
 =?us-ascii?q?YEDhxiybYYdAiKBZhECAQEBAQEBAXoLhGgtJjgBDAkVViMDAQQbvWyGWwKDCgE?=
 =?us-ascii?q?whi2BMEqHFYMrgi8FmUiZEoVgg0CMeTSEHYhIfwEBAQ?=
X-IPAS-Result: =?us-ascii?q?A2BiBQAe/b1X/1QQCgpcgnYzAQEBAQFnDYEDhxiybYYdAiK?=
 =?us-ascii?q?BZhECAQEBAQEBAXoLhGgtJjgBDAkVViMDAQQbvWyGWwKDCgEwhi2BMEqHFYMrg?=
 =?us-ascii?q?i8FmUiZEoVgg0CMeTSEHYhIfwEBAQ?=
X-IronPort-AV: E=Sophos;i="5.28,572,1464645600";
   d="scan'208,217";a="4397360"
Received: from unknown (HELO ttafdatvxmr1.ttaf.local) ([10.10.16.84])  by
 is-ironport-02.ttaf.co.za with ESMTP; 24 Aug 2016 22:04:38 +0200
Received: from TTAFDBNVXMR1.ttaf.local (10.20.16.22) by
 TTAFDATVXMR1.ttaf.local (10.10.16.84) with Microsoft SMTP Server (TLS) id
 14.3.266.1; Wed, 24 Aug 2016 22:04:38 +0200
Received: from TTAFDBNVXMR1.ttaf.local ([10.20.16.22]) by
 TTAFDBNVXMR1.ttaf.local ([10.20.16.22]) with mapi id 14.03.0266.001; Wed, 24
 Aug 2016 22:04:37 +0200
From: Agent Navz <Agent.Navz@ttaf.co.za>
To: "admin@cesco.co.za" <admin@cesco.co.za>
Subject: 2204
Thread-Topic: 2204
Thread-Index: AdH+QrwmoBzpFLKNTSqJfCMm4O8R2w==
Date: Wed, 24 Aug 2016 20:04:36 +0000
Message-ID: <D10A8E561117C84C8DA2FEEA1252147223ECAE3D@TTAFDBNVXMR1.ttaf.local>
Accept-Language: en-ZA, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.20.16.46]
Content-Type: multipart/alternative;
        boundary="_000_D10A8E561117C84C8DA2FEEA1252147223ECAE3DTTAFDBNVXMR1tta_"
MIME-Version: 1.0
Received-SPF: pass (spe6.ucebox.co.za: domain of ttaf.co.za designates 196.34.160.66 as permitted sender) client-ip=196.34.160.66; envelope-from=Agent.Navz@ttaf.co.za; helo=is-ironport-02.ttaf.co.za;
X-SPF-Result: spe6.ucebox.co.za: domain of ttaf.co.za designates 196.34.160.66 as permitted sender
X-Filter-ID: s0sct1PQhAABKnZB5plbIfTMHwIoCPwkEUxWhAsHA3yXqSIHh/mdku6BgfhnCb1xWywi3RPeT3mN
 b5O6yuT+gYRl/Dlcguy1ft9XzikQBlX3IAkDuOjhEKXOaHWAgdq5eaVkv5LIP00EFn/8tTTum2yh
 w34b5VCOY4Zp2N4INqlP9fELfllb2VSK8wSScb4cOjjIpTyglRSQImH6L67M4RZ+FpUbP9W4OHC0
 N7PRUUg1F9cJCgCrq4Tm907uBTG6ZuM7jUXIESohoO51xWmU8QVrHDqrEsdBNSdtQHKYTAVpi2C8
 +/AUtX55xpHMbX0FUlX36mWSaDYgt7KubuefYS83313Eff/WqIZmiK9iZ9L1H/aAwarQpYDOYx/6
 JtUOPcaHKHtT26p0k3y+jFkrsdbo6L4joDoZHd+3SpbqpbUx2C8r0+n90PgZrVLZ+wLb8NzFRe1Y
 VhC5X25JL6WqMrZW+PYSfVvvZLtpa0wr0sSAKAVzoNMAGYYGz7a6IEJGcaeQGM18luw2J7kXNm/v
 1AEiRQv+PVjjwa+Z5RFCOMTAk7uOYOIO5KBzokwn8CaM0Vu0wcFnujDMQyL6BRkTIQ==
X-Report-Abuse-To: spam@spe1.ucebox.co.za
Authentication-Results: ucebox.co.za; spf=pass smtp.mailfrom=Agent.Navz@ttaf.co.za
X-Afrihost-Class: ham
X-Afrihost-Evidence: Combined (0.15)
X-Recommended-Action: accept
0
 

Author Comment

by:TTAF4
Comment Utility
Should perhaps add my internal domain name to SPF record??

2016-08-24-22_16_33-SPF-Wizard---SPF.png
0
 

Author Comment

by:TTAF4
Comment Utility
this is weird. the email went through even thou i got a failure  message

2016-08-24-22_33_20-Message-Details.png
0
 
LVL 38

Assisted Solution

by:Vasil Michev (MVP)
Vasil Michev (MVP) earned 500 total points
Comment Utility
No, you should not add your local address to the SPF, as ANYONE can use that value. It's exactly the opposite of what the SPF is intended for.
1
 

Author Closing Comment

by:TTAF4
Comment Utility
Thank you so much for your help.
0

Featured Post

Are your corporate email signatures appalling?

Is it scary how unprofessional your email signatures look? Do users create their own terrible designs and give themselves stupid job titles? You can make this a lot easier for yourself by choosing an email signature management solution from Exclaimer today.

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now