Andy M
asked on
SPF record
Hello,
Single exchange server.
5 e-mail domains
Two mx records
One spf record in one „primary“ domain public dns.
Spf v=spf1 mx –all
What about other 4 domains
I think that someone trying to spoof this 4 domains e-mail addresses and sends spam.
Do I need to add spf record to other 4 domains and how to configure spf for other 4 domains.
Single exchange server.
5 e-mail domains
Two mx records
One spf record in one „primary“ domain public dns.
Spf v=spf1 mx –all
What about other 4 domains
I think that someone trying to spoof this 4 domains e-mail addresses and sends spam.
Do I need to add spf record to other 4 domains and how to configure spf for other 4 domains.
SPF record need to be created for each domain you use to send outbound emails
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hello,
thank you.
So,my primary domain has v=spf1 mx –all
Can I add this v=spf1 ip4:x.x.x.x ip4:x.x.x.x ~all to other 4 domains?
thank you.
So,my primary domain has v=spf1 mx –all
Can I add this v=spf1 ip4:x.x.x.x ip4:x.x.x.x ~all to other 4 domains?
any email goes out from your exchange server takes whatever domain name as primary SMTP domain, SPF record would be required for that each domain and it should remain in format of
V=spf1 ip4:x.x.x.x ip4:x.x.x.x ~all for all domains
you need to ensure whatever Ips you enter there are only IPs which are used to send outbound email from your servers
V=spf1 ip4:x.x.x.x ip4:x.x.x.x ~all for all domains
you need to ensure whatever Ips you enter there are only IPs which are used to send outbound email from your servers
It's best to keep MX if you use MXes to send out emails so that if your MXes ip change you do not need to remember the dipendency.
If you do not use MXes to send out email you should not include MX clause.
Secondary domain can just include primary domain
I left mailup ips and office365 ips as examples
If you do not use MXes to send out email you should not include MX clause.
Secondary domain can just include primary domain
I left mailup ips and office365 ips as examples
contoso1.com. 300 IN TXT "v=spf1 mx ip4:x.x.x.x ip4:x.x.x.x/21 include:spf.protection.outlook.com include:musvc.com -all"
contoso2.com. 300 IN TXT "v=spf1 include:contoso1.com -all"
beware of the difference betweeen -all and ~all
+all = NO SPF in use, a free for all.....
~all = use other means to determine the final state if address don't match
-all = Forbid other addresses as sender for this domain (prefered setting)
+all = NO SPF in use, a free for all.....
~all = use other means to determine the final state if address don't match
-all = Forbid other addresses as sender for this domain (prefered setting)
~all - soft fail
-all - hard fail - instructs receiver if sender ip does not match to any of Ip in spf record by any means, outright reject that email
If u want to use -all, better use ip4:x.x.x.x with included lookups if any
-all - hard fail - instructs receiver if sender ip does not match to any of Ip in spf record by any means, outright reject that email
If u want to use -all, better use ip4:x.x.x.x with included lookups if any
Hi,
Like mahesh said configure the SPF record with the outgoing server.
Setup DMARC record to make some more security.
Like mahesh said configure the SPF record with the outgoing server.
Setup DMARC record to make some more security.
ASKER
OK
Thanks for the hints
I decided to implement this kind of spf record on other 4 domains
"v=spf1 include:primary-domain.com -all"
When you add this to all your domains and point them to your primary domain, the rules from the primary domain are also applied for the other domains.
Primary spf
Spf v=spf1 mx –all
Other 4 domains
v=spf1 include:primary-domain.com -all
Is this OK?
thank you for your good advices
Thanks for the hints
I decided to implement this kind of spf record on other 4 domains
"v=spf1 include:primary-domain.com
When you add this to all your domains and point them to your primary domain, the rules from the primary domain are also applied for the other domains.
Primary spf
Spf v=spf1 mx –all
Other 4 domains
v=spf1 include:primary-domain.com
Is this OK?
thank you for your good advices
Yes, you can do that as well
Only thing u need to ensure that primarydomain.com covers all public IPs which are used to send outbould emails for all domains and no forgein public ip is there
Only thing u need to ensure that primarydomain.com covers all public IPs which are used to send outbould emails for all domains and no forgein public ip is there
Also be aware that you need to keep within DNS packet limits (sizewise)... and that no more then 7 lookups are allowed for SPF.
mx , ptr, a & include are lookups.
mx , ptr, a & include are lookups.