Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments
Course Of The Month
10 days, 11 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
spf record
Posted on 2016-10-26
I have a client who has a domain name registered with their registrant,
Today I tried to get the SPF record edited by the registrant, to include the website hosting providers domain and had what equates to an argument via chat over what is/isn't possible. So I'm here in the court of Experts Exchange to see what your thoughts are.
Exchange gateway address = 222.222.222.222 (just an example and sorry if its your IP)
Current spf = v=spf1 ip4:222.222.222.222 -all
Website hosting provider = worldsecuresystems.com (their real domain name)
Questions: (and some i know the answer but am starting as if I know nothing in case I am wrong)
Reading resources on Googles own SPF reference talks about this exact scenario, yet openspf.org doesn't (or I haven't yet found)
- has their own on-prem exchange server
- and a website hosted by a 3rd party.
- The website also creates emails when someone makes an online inquiry/feedback.
Today I tried to get the SPF record edited by the registrant, to include the website hosting providers domain and had what equates to an argument via chat over what is/isn't possible. So I'm here in the court of Experts Exchange to see what your thoughts are.
Exchange gateway address = 222.222.222.222 (just an example and sorry if its your IP)
Current spf = v=spf1 ip4:222.222.222.222 -all
Website hosting provider = worldsecuresystems.com (their real domain name)
Questions: (and some i know the answer but am starting as if I know nothing in case I am wrong)
- Is it possible to add a 2nd mail server to the SPF record?
- Can you have a mix of IP's and FQDN's in an spf record
- Is the spf syntax v=spf1 ip4:222.222.222.222 Include:worldsecuresystems
.com -All
Reading resources on Googles own SPF reference talks about this exact scenario, yet openspf.org doesn't (or I haven't yet found)
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
3
2
- +2
8 Comments
I think this is the authoritative document: https://support.google.com/a/answer/4568483?hl=en
add the mail server's IP address before the ~all argument using the format ip4:address or ip6:address to add the server to your existing SPF record:
v=spf1 ip4:83.206.106.17 include:_spf.google.com ~all
Active today
Thanks Austin, is the _spf part of the FQDN or is it Dmain Name syntax saying look for the spf for google.com?
Active 3 days ago
Hi,
as you wrote, it is possible to create SPF record of that type.
Question is, why are you making that modification?
When someone makes online inquiry, is mail going to be directed to exchange or is it sent to some other mail server? If it is sent to exchange, then you should create additional receive connector, that is going to accept connection from that provider and problem solved. Or if mail is send via some account, that is authenticated, then there should be no need to do anything. Just point to exchange.
You need SPF to help other mail servers identify if mail sent to them, sent from your mail servers. If you are sending mail to your exchange, from website, then you don't need to modify it.
Regards,
Ivan.
as you wrote, it is possible to create SPF record of that type.
Question is, why are you making that modification?
When someone makes online inquiry, is mail going to be directed to exchange or is it sent to some other mail server? If it is sent to exchange, then you should create additional receive connector, that is going to accept connection from that provider and problem solved. Or if mail is send via some account, that is authenticated, then there should be no need to do anything. Just point to exchange.
You need SPF to help other mail servers identify if mail sent to them, sent from your mail servers. If you are sending mail to your exchange, from website, then you don't need to modify it.
Regards,
Ivan.
Active today
1. Yes, large number of mail servers an be included in an SPF record.
2. Kinda, the FQDNs need to be prefixed with an INCLUDE mechanism, and if the domain references has no SPF record, it will break things. (always return a PERMERROR)
3. Yes, the syntax looks valid.
2. Kinda, the FQDNs need to be prefixed with an INCLUDE mechanism, and if the domain references has no SPF record, it will break things. (always return a PERMERROR)
3. Yes, the syntax looks valid.
Your SPF record has a 256 character limit, and the current value belowonly uses 32 characters so you're good for now:
v=spf1 ip4:222.222.222.222 -all
You need to work with the web host and gather all WAN IPs they will use to send email on your behalf. This can include a CIDR range, ie 222.222.222.0/24. Your SPF record can also include recursive records which you demonstrated in your initial post with:
v=spf1 ip4:222.222.222.222 Include:worldsecuresystems
A great resource I've used for years to validate and test SPF records before publishing to DNS is Kitterman - http://www.kitterman.com/spf/validate.html.
One last thing. If you do ever get yourself into a situation where you're approaching the 256 character limit, just nest an SPF record inside your SPF record. Check out the SPF record for microsoft.com:
You see how they nested '_spf-a.microsoft.com' inside the record? If you query TXT record for _spf-a.microsoft.com you'll find the actual WAN IPs plus a few more nested records most likely.
v=spf1 ip4:222.222.222.222 -all
You need to work with the web host and gather all WAN IPs they will use to send email on your behalf. This can include a CIDR range, ie 222.222.222.0/24. Your SPF record can also include recursive records which you demonstrated in your initial post with:
v=spf1 ip4:222.222.222.222 Include:worldsecuresystems
A great resource I've used for years to validate and test SPF records before publishing to DNS is Kitterman - http://www.kitterman.com/spf/validate.html.
One last thing. If you do ever get yourself into a situation where you're approaching the 256 character limit, just nest an SPF record inside your SPF record. Check out the SPF record for microsoft.com:
PS C:\Users\v-jacraw> Resolve-DnsName -Name microsoft.com -Type txt -Server 8.8.8.8
Name Type TTL Section Strings
---- ---- --- ------- -------
microsoft.com TXT 2359 Answer {docusign=d5a3737c-c23c-4bd0-9095-d2ff621
f2840}
microsoft.com TXT 2359 Answer {FbUF6DbkE+Aw1/wi9xgDi8KVrIIZus5v8L6tbIQZ
kGrQ/rVQKJi8CjQbBtWtE64ey4NJJwj5J65PIggVY
NabdQ==}
microsoft.com TXT 2359 Answer {v=spf1 include:_spf-a.microsoft.com
include:_spf-b.microsoft.com
include:_spf-c.microsoft.com
include:_spf-ssg-a.microsoft.com
include:spf-a.hotmail.com
ip4:147.243.128.24 ip4:147.243.128.26
ip4:147.243.1.153 ip4:147.243.1.47
ip4:147.243.1.48 -all}
You see how they nested '_spf-a.microsoft.com' inside the record? If you query TXT record for _spf-a.microsoft.com you'll find the actual WAN IPs plus a few more nested records most likely.
@mgkitmgr -
Sorry for the slow response...I fell asleep.
Yes, it is a FQDN. Another example:
"v=spf1 include:outlook.microsoft.
Sorry for the slow response...I fell asleep.
Yes, it is a FQDN. Another example:
"v=spf1 include:outlook.microsoft.
Active today
These are excellent responses from you all.
I tried the kitterman spf test with the correct IP address and syntax and it passes
v=spf1 ip4:203.45.234.155 include:worldsecuresystems
As an FYI about the config, some other factors
I tried the kitterman spf test with the correct IP address and syntax and it passes
v=spf1 ip4:203.45.234.155 include:worldsecuresystems
As an FYI about the config, some other factors
- The client does use a cloud spam filtering service which is looking for spf's to refine the filtering accuracy
- The website developer tells me he cant modify any of the config of the website feedback/inquiry mechanism (not sure how factual this is - not my forte) except the recipient email address for the email it generates
- He cant point the emails generated by feedback/inquiry at the IP or FQDN for the domain, making it important that we get the spf correct to ensure the emails get thru the filter and not treated as spoofed.
Featured Post
Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies. Only from Platform Scholar.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync.
To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses
Earn Certification
HTML5 Specialist - Certification
Free withPremium
Course of the Month10 days, 11 hours left to enroll
Earn Certification
MTA Networking Fundamentals Exam 98-366
$59.00$53.10
628 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.