I've configured SPF, why can I still spoof my domain from an external mail server?
Hi, I'm wondering if someone can help me. I've spent hours researching but cannot find a clear answer.
I've configured an SPF record on my public DNS server. v=spf1 mx a -all
I'm confident the SPF record is configured properly. The SPF check fails when trying to send to my gmail from a valid internal email using this external mail server: https://emkei.cz/
Where I'm confused is when I try and send to a valid internal address from a valid internal address using the above mentioned external mail server. This server is not permitted to send on behalf of my domain so why are the messages still getting in?
I'm running Exchange 2010 and the header of the email has this:
Why isn't my exchange server checking it's own domain's SPF record? Thanks in advance!
I've configured an SPF record on my public DNS server. v=spf1 mx a -all
I'm confident the SPF record is configured properly. The SPF check fails when trying to send to my gmail from a valid internal email using this external mail server: https://emkei.cz/
Where I'm confused is when I try and send to a valid internal address from a valid internal address using the above mentioned external mail server. This server is not permitted to send on behalf of my domain so why are the messages still getting in?
I'm running Exchange 2010 and the header of the email has this:
Received-SPF: None (myserver.mydomain.local: validaddress@mydomain.com does not
designate permitted sender hosts)
designate permitted sender hosts)
Why isn't my exchange server checking it's own domain's SPF record? Thanks in advance!
Did you configure it to hard fail or soft fail?
ASKER
Hi,
If you use Exchange 2010 you have to configure it
Open Organization Configuration, Hub Transport, Anti-spam.
Go to Properties of Content Filtering.
Set Reject messages that have a SCL rating greater than or equal to: 5
Cheers
Thanks for the response. I've set content filtering this way still no change. I've also played with the Sender ID settings, trying all the options (reject, delete, and stamp).
Did you configure it to hard fail or soft fail?
My SPF record is configured for a hard fail (-all)
Check that your fully qualified domain name configured on your Exchange server matches the address record forward and inverse in DNS.
It looks as if it's configured something.local instead of mydomain.com.
And, if you can't change that, add an IP to the SPF record that resolves to the public IP of the Exchange server.
If you're NATing, the public IP should be the same in both directions.
It looks as if it's configured something.local instead of mydomain.com.
And, if you can't change that, add an IP to the SPF record that resolves to the public IP of the Exchange server.
If you're NATing, the public IP should be the same in both directions.
Did you restart hub transport after configuring anti spam?
try the following :
- add a _dmarc record in your zone
- make sure the both records resolve when queried from the exchange server
- wait a little, possible restart exchange and clear the host's and any intermediate cache
- if that still does not work make sure you don't have a policy specific to your domain. given the header i'd assume the spf record is either not resolved or ignored because there is no associated dmarc record.
- add a _dmarc record in your zone
- make sure the both records resolve when queried from the exchange server
- wait a little, possible restart exchange and clear the host's and any intermediate cache
- if that still does not work make sure you don't have a policy specific to your domain. given the header i'd assume the spf record is either not resolved or ignored because there is no associated dmarc record.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
If you use Exchange 2010 you have to configure it
Open Organization Configuration, Hub Transport, Anti-spam.
Go to Properties of Content Filtering.
Set Reject messages that have a SCL rating greater than or equal to: 5
Cheers