SPF record. Cisco Ironport. Office 365 Hybrid

Posted on 2016-08-23
Last Modified: 2016-08-26
Hi All

Please can someone assist me in creating a SPF record for my domain,

I am running a hybrid environment. All email gets enters my org through my IronPort cluster however sending email is different.

On prem users route their email through my IronPorts. My O365 users send mail directly to the internet.

My MX records are and 79.

This is what i got so far using  IN TXT "v=spf1 mx a ip4: -all"

is that correct?
Question by:TTAF4
  • 8
  • 5
LVL 39

Accepted Solution

Vasil Michev (MVP) earned 500 total points
ID: 41767595
No, something like this:  IN TXT "v=spf1 ip4: -all"

Open in new window

You dont need the MX and A clauses, the include clause needs to be for, and you dont need to list anythin else.

Author Comment

ID: 41767609
Why dont I need the MX and A clause? Sorry I'm new to this...
LVL 39

Assisted Solution

by:Vasil Michev (MVP)
Vasil Michev (MVP) earned 500 total points
ID: 41767654
Because the MX points to the same IP range, and you're not going to be sending via any other on-prem servers/IPs. You can leave them if it makes you feel safer :)

Author Comment

ID: 41768630
ok thanks man, After I add the SPF records what are the next steps?
LVL 39

Assisted Solution

by:Vasil Michev (MVP)
Vasil Michev (MVP) earned 500 total points
ID: 41768673
Next steps for what?

Author Comment

ID: 41769305
Thanks for all your help thus far. Much appreciated. I have added the SPF entry to my DNS records. It appears to be working but i noticed some of the checks fail along the way. See attached.
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

LVL 39

Assisted Solution

by:Vasil Michev (MVP)
Vasil Michev (MVP) earned 500 total points
ID: 41769335
Well your HELO string is referencing the .local domain, and your internal IP addresses. That shouldnt be a problem though, as it's generated at your local servers. The important check, performed by gmail servers, is OK.

Simply configure the IronPort to trust the local senders or disable the SPF check there.

Author Comment

ID: 41769376
How do I correct the HELO string?  Also how do I configure the IronPort to trust the local sender?

Sorry for so many questions. I really appreciate the help.

Author Comment

ID: 41769387
Now I am getting this:

From: Mail Delivery System []
Sent: Wed, August 24, 2016 10:05 PM
To: Agent Navz
Subject: Undeliverable: 2204

Delivery has failed to these recipients or groups:
A problem occurred during the delivery of this message to this e-mail address. Try sending this message again. If the problem continues, please contact your helpdesk.

Diagnostic information for administrators:
Generating server:
#< #5.0.0> #SMTP#
Original message headers:
Return-Path: <>
Received: from ([]:39014)   by with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)    (Exim
 4.87)  (envelope-from <>)       id 1bcePi-0007e9-Vn    for; Wed, 24 Aug 2016 22:04:42 +0200
Received: from ([]      by with esmtp (Exim 4.85)
        (envelope-from <>)       id 1bcePg-0006IG-44    for; Wed, 24 Aug 2016 22:04:44 +0200
Authentication-Results:; spf=Fail; spf=None smtp.helo=postmaster@ttafdatvxmr1.ttaf.local
Received-SPF: Fail ( domain of does not designate as
  permitted sender) identity=mailfrom; client-ip=;;
  x-sender=""; x-conformance=spf_only;
Received-SPF: None ( no sender
  authenticity information available from domain of
  postmaster@ttafdatvxmr1.ttaf.local) identity=helo;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A2BiBQAe/b1X/1QQCgpcgnYzAQEBAQFnD?=
X-IPAS-Result: =?us-ascii?q?A2BiBQAe/b1X/1QQCgpcgnYzAQEBAQFnDYEDhxiybYYdAiK?=
X-IronPort-AV: E=Sophos;i="5.28,572,1464645600";
Received: from unknown (HELO ttafdatvxmr1.ttaf.local) ([])  by with ESMTP; 24 Aug 2016 22:04:38 +0200
Received: from TTAFDBNVXMR1.ttaf.local ( by
 TTAFDATVXMR1.ttaf.local ( with Microsoft SMTP Server (TLS) id; Wed, 24 Aug 2016 22:04:38 +0200
Received: from TTAFDBNVXMR1.ttaf.local ([]) by
 TTAFDBNVXMR1.ttaf.local ([]) with mapi id 14.03.0266.001; Wed, 24
 Aug 2016 22:04:37 +0200
From: Agent Navz <>
To: "" <>
Subject: 2204
Thread-Topic: 2204
Thread-Index: AdH+QrwmoBzpFLKNTSqJfCMm4O8R2w==
Date: Wed, 24 Aug 2016 20:04:36 +0000
Message-ID: <D10A8E561117C84C8DA2FEEA1252147223ECAE3D@TTAFDBNVXMR1.ttaf.local>
Accept-Language: en-ZA, en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative;
MIME-Version: 1.0
Received-SPF: pass ( domain of designates as permitted sender) client-ip=;;;
X-SPF-Result: domain of designates as permitted sender
X-Filter-ID: s0sct1PQhAABKnZB5plbIfTMHwIoCPwkEUxWhAsHA3yXqSIHh/mdku6BgfhnCb1xWywi3RPeT3mN
Authentication-Results:; spf=pass
X-Afrihost-Class: ham
X-Afrihost-Evidence: Combined (0.15)
X-Recommended-Action: accept

Author Comment

ID: 41769397
Should perhaps add my internal domain name to SPF record??


Author Comment

ID: 41769408
this is weird. the email went through even thou i got a failure  message

LVL 39

Assisted Solution

by:Vasil Michev (MVP)
Vasil Michev (MVP) earned 500 total points
ID: 41769749
No, you should not add your local address to the SPF, as ANYONE can use that value. It's exactly the opposite of what the SPF is intended for.

Author Closing Comment

ID: 41771733
Thank you so much for your help.

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
Microsoft Office Picture Manager has a Picture Shortcuts pane that shows a list with the Recently Browsed folders. While creating my video Micro Tutorial here at Experts Exchange showing How to Install Microsoft Office Picture Manager in Office 2013…
This video discusses moving either the default database or any database to a new volume.

948 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now