SPF record for 2 domains using one exchange server

Hi All

I have 2 domains for which i want to setup spf record. both are on different public IPs. I am sending emails from both domains via one exchange server 2010

First domain mail.aaa.com  public Ip 5.6.7.8
Second domain mail.bbb.com public Ip 1.2.3.4
For aaa.com
mail.aaa.school.fj. IN TXT "v=spf1 mx a ip4:1.2.3.4 a:mail.bbb.school.fj  include:aspmx.l.google.com -all"

For bbb.com public Ip 5.6.7.8
mail.bbb.com IN TXT "v=spf1 mx a ip4:5.6.7.8 a:mail.aaa.school.fj -all"

Will this cause any conflicts or is it correct?

Do i need to make any changes on my exchange 2010 server after the above record is published by ISP?
Member_2_6474242Senior Systems AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
Should be fine given the information provided.
0
timgreen7077Exchange EngineerCommented:
No you should be fine with your plan based on your comments. There should be no conflicts an no changes are required to made on the Exchange server for SPF records. Also you can test the spf to make sure its syntax is valid at the below link:

http://www.kitterman.com/spf/validate.html
0
nociSoftware EngineerCommented:
if the IP addres is in the MX record then don;t mention the IP ... or not mention MX. There is a lookup limit of max. 10 lookups per check.

as far as I can tell google uses: _spf.google.com
what is the domain used in the mail:   school.fj or mail.aaa.com or aaa.com...
or mail.aaa.school.fj.
the spf record should be a txt  in the domain used in the mail addresses.
0
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

Member_2_6474242Senior Systems AdministratorAuthor Commented:
Google support has provided the aspmx.l.google.com as the gsuite mail servers. Should the format change

include:aspmx.l.google.com

The above says that google is allowed to send email on my domain as well if i am right. or will it be _spf.google.com

Seeking clarification

I want to allow

First domain mail.aaa.com  public Ip 5.6.7.8 to be able to send  to and from Second domain mail.bbb.com public Ip 1.2.3.4 and vice versa
0
nociSoftware EngineerCommented:
dig txt aspmx.l.google.com  
fails to provide any spf info record.

include tells the tool that is looking up an spf record, to also consider the txt records on that name. (compare it to
$ dig txt _spf.google.com
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 31a28e169f602ca204f3eafd5a896252a28ef6ee0ca1816f (good)
;; QUESTION SECTION:
;_spf.google.com.               IN      TXT

;; ANSWER SECTION:
_spf.google.com.        187     IN      TXT     "v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all"

;; AUTHORITY SECTION:

Open in new window

and then the same for the netblocks....

if mail addresses are: blahblah@mail.aaa.com and boehboeh@mail.bbb.com
mail.aaa.com       TXT  "v=spf1 ip4:5.6.7.8 include:<google-record> ~all"
mail.bbb.com       TXT  "v=spf1 ip4:1.2.3.4 include:<google-record> ~all"

if mail addresses are: whoever@whatever.example.com then SPF is:
whatever.example.com  TXT "v=spf1 ip4:5.6.7.8 ip4:1.2.3.4 include:<google-record> ~all"
0
skullnobrainsCommented:
I want to allow

First domain mail.aaa.com  public Ip 5.6.7.8 to be able to send  to and from Second domain mail.bbb.com public Ip 1.2.3.4 and vice versa

mail.aaa.school.fj. IN TXT "v=spf1 ip4:5.6.7.8 ip4:1.2.3.4 a:mail.aaa.school.fj a:mail.bbb.school.fj include:aspmx.l.google.com -all"
mail.bbb.com IN TXT "v=spf1 redirect=mail.aaa.school.fj"

if mail.xxx.school.fj point to the above mentioned ips, you can either remove them or remove the ips. you don't need both
don't use "a" alone when you use includes or redirections

you may also need to change the google part as per above recommendations

you can also copy-paste the record for aaa in bbb or setup a 3rd record and redirect both aaa and bbb to that record. it's mostly a matter of what you're more comfortable to maintain
0
nociSoftware EngineerCommented:
It makes no sense to include extra lookups that give the same result:  if ip of mail.aaa.com = 5.6.7.8 then   including both ip4:5.6.7.8 a:mail.aaa.com  is doing the SAME check twice at the expense of an extra lookup.  Unless you doubt mathematics this makes no sense.
If you doubt mathematics then using ICT at all makes no sense.

Bottom line of SPF is that the IP address of the mail-sender can be linked to the domain name mentioned in the SENDER's address.
so a lookup by the receipient system of a mail sent by whoever@whatever.example.com leads to a TXT lookup of whatever.example.com
If in the collection there is a RR starting with "v=spf1" then te remainder of that record is considered a send policy framework description.

This is disected to find if the sending system is a known sender for this domain, if the IP address is in the list the mail is acceptable. depending on - + of ~ prefix.
Unusual: is  -ip4 or -ip6..., or +all (the latter is an invite for backscatter spam or for your addresses being used as senders in spam).
no records is to be taken as ~all   (decide on other checks).

lookups are limited to 10 requests: every mx, a, ptr, include, redirect is an extra lookup.
0
Member_2_6474242Senior Systems AdministratorAuthor Commented:
Thanks everyone

is the following ok now
For aaa.com (my google domain emails that go to my exchange server first)
mail.aaa.school.fj. IN TXT "v=spf1 mx a ip4:1.2.3.4  include:_spf.google.com ~all"

Please clarify. As per google Create a TXT record containing this text: v=spf1 include:_spf.google.com ~all

Publishing an SPF record that uses -all instead of ~all provides stricter security, but may result in delivery problems. See Google IP address ranges for details about the addresses for the G Suite mail servers. https://support.google.com/a/answer/178723?hl=en&ref_topic=2759192

Should i use - or ~ Google says to use ~ where as the above discussions say otherwise

For bbb.com public Ip 5.6.7.8 (emails hosted on my exchange server)
mail.bbb.com IN TXT "v=spf1 redirect=mail.aaa.school.fj"
0
nociSoftware EngineerCommented:
that depends...., what will be the email address used as sender:.....

so your email addresses are:     someuser@mail.aaa.school.fj
and someotheruser@mail.bbb.com?

because those are the domains that you created the above SPF records for,,,, (note that hostnames are irrelevant for SPF, it is about sender mail addresses).
0
skullnobrainsCommented:
following noci and assuming you want records for xxx.com and not mail.xxx.com

if you want mail.bbb.com to work properly, you should use a:mail.bbb.com in the record rather than a or mx. the interpretation of "a" or "mx" is not reliable with redirects and additionally difficult to maintain.

adding "mx" is useless since mail.xxx.com is most likely your mx anyway and is already stated

adding "a" most likely the ips of xxx.com rather than mail.xxx.com to be able to send email. is that what you want ?

you do not mention 5.6.7.8 nor mail.bbb.com so you did not allow the second server

ending in ~all rather than -all instructs remote servers to soft bounce ( rely with 4xx, please retry later ) any email that does not validate the spf record properly rather than a  ( 5xx trash the email and send a dsn ). anyway most servers will do whatever they want including but not limited to trash any non matching email without bothering to warn the sender and rely with 4xx anyway. bottom line is don't get mixed up in the configuration but don't bother too much about - or ~. ~ is a bit safer during the adjustment phase.
0
Member_2_6474242Senior Systems AdministratorAuthor Commented:
Hi Everyone

What is the best practice when it comes to specifying spf records for multiple as well as single domains as we own 2 domains one of which is google but mails get delivered to us first then it goes to google

Can someone please provide an example so that i can use that to make my own SPF record

I am getting confused with conflicting solutions
0
skullnobrainsCommented:
best practice for a single server hosting multiple domains is to setup a single spf field on a separate domain and redirect/include that record in  all other hosted domains' spf records

best practice for more complex setups is dependant on each use case

if you have a separate domain available such as one specific to mail.xxx you probably should set ta record in this domain and include/require it in other records

if you don't and/or mail.xxx is the mx record of each domain, you may consider setting up "mx" in each of the hosted domain, and add whatever is google-specific to whichever domain has a google-specific setup and don't bother with includes

bottom line is you need to make a choice between multiple working setups based on whichever seems easiest to maintain. don't expect anything to be perfect and leave documentation ( if possible in the zone files ) for future admins
0
nociSoftware EngineerCommented:
How about the following example(s):  
domain:   example.com
mail host: mail.example.com
ip address of host: (static) 10.10.10.10
also google is sending mail for us: spf = _spf.google.com
there are NO other mailers

SPF:

example.com    TXT     "v=spf1 ip4:10.10.10.10 include=_spf.google.com -all"
example.com    MX   50 mail.example.com
mail.example.com A 10.10.10.10

10.10.10.10.in-addr.arpa PTR   mail.example.com

Mailserver advertises in HELO: mail.example.com
This mail server ONLY sends mail for what.ever.mailbox@example.com

What is unclear?
If there are 2 mail servers:
Same as above, extra mailserver mail2.example.com with address 10.10.10.20

example.com    TXT     "v=spf1 ip4:10.10.10.10 ip4:10.10.10.20 include=_spf.google.com -all"
example.com    MX   50 mail1.example.com
example.com    MX   50 mail2.example.com
mail1.example.com A 10.10.10.10
mail2.example.com A 10.10.10.20

10.10.10.10.in-addr.arpa PTR   mail1.example.com
20.10.10.10.in-addr.arpa PTR   mail2.example.com

Mailserver-1 advertises in HELO: mail1.example.com
Mailserver-2 advertises in HELO: mail2.example.com
This mail server ONLY sends mail for what.ever.mailbox@example.com

---
Two domains domain1.example.com & domain2.example.com
with 2 mail servers mail1.example.com & mail2.example.com
ip addresses 10.10.10.30 & 10.10.10.40
no google....
both capable of send each others mails

domain1.example.com    TXT     "v=spf1 ip4:10.10.10.30 ip4:10.10.10.40 -all"
domain2.example.com    TXT     "v=spf1 ip4:10.10.10.30 ip4:10.10.10.40 -all"
domain1.example.com    MX   50 mail1.example.com
domain2.example.com    MX   50 mail2.example.com
mail1.example.com A 10.10.10.30
mail2.example.com A 10.10.10.40

30.10.10.10.in-addr.arpa PTR   mail1.example.com
40.10.10.10.in-addr.arpa PTR   mail2.example.com

Mailserver-1 advertises in HELO: mail1.example.com
Mailserver-2 advertises in HELO: mail2.example.com

---
Two domains domain1.example.com & domain2.example.com
with 1 mail servers mail.example.com
ip addresses 10.10.10.50
no google....
both capable of send each others mails

domain1.example.com    TXT     "v=spf1 ip4:10.10.10.50 -all"
domain2.example.com    TXT     "v=spf1 ip4:10.10.10.50 -all"
domain1.example.com    MX   50 mail.example.com
domain2.example.com    MX   50 mail.example.com
mail.example.com A 10.10.10.50

50.10.10.10.in-addr.arpa PTR   mail.example.com

Mailserver advertises in HELO: mail.example.com




Any more questions?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Member_2_6474242Senior Systems AdministratorAuthor Commented:
Does this seem ok
v=spf1 include:_spf.google.com include:mail.aaa.school.fj ~all --->for the google one

v=spf1 redirect=mail.bbb.school.fj-->for the other domain

please confirm
0
Member_2_6474242Senior Systems AdministratorAuthor Commented:
thanks
0
nociSoftware EngineerCommented:
is the include:mail.aaa.school.fj     a txt v=spf1 record?  if yes the ok, if NO well eh... no.
is mail.bbb.school.fj an v=spf1  txt record? like previous....

I get more and more confused about what you attempt to do.... Please checkout the accepted solution there all 4 possible base cases are mentioned.  (singe/multiple domains from single/multiple servers).
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Public DNS

From novice to tech pro — start learning today.