Building and Publishing a SPF record correctly

I am trying build and publish a SPF record correctly.  We have Small Business Server 2011 which has Exchange 2010.  Our domain is hosted by a third party.  We have two domain names, one that points to another.  When creating the SPF,  I will be using the internal IP address  of our SBS that sends mail.  I was going to include the following TXT under my forward lookup zone: "v=spf1 mx a ip4:192.168.3.234/24 -all"  I understand that I also need to publish the SPF records with the DNS servers hosting our domain.  My question is,  do I provide my host domain provider the same TXT record I created for my mail server which has my internal IP?
MikejettAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jeremy WeisingerSenior Network Consultant / EngineerCommented:
You do not need to configure this internally. This is only used by server receiving mail from your domains. So you will need to specify the public IP address, or if the MX record refers to your email server you can just have this in your public DNS zone:

v=spf1 mx -all
0
Jeff GloverSr. Systems AdministratorCommented:
Using an internal IP for an SPF record does not work. You need to use the external address for it if you want to use IP addresses. The way to do it simply is to use the domain name you have for your MX record. Your MX records for the main domain that is. So, if you have domainA.com and domainB.com and domainB points to an A record in domainA  for the MX record, you would use SPF for DomainB like. v=spf1 mx include:domainA.com -all. For DomainA, you would use v=spf1 mx a ip4:<your external IP address mail comes from> -all
  Using the internal address is useless since it would NAT going out and no one would ever see it as a source.
0
timgreen7077Exchange EngineerCommented:
Yes you are correct. The record you created, you will add to your external DNS registrar like Godaddy or whoever you use. The SPF record is a TXT record, so you would just create a new TXT record in your external DNS and copy and paste the SPF record you created. Your record also looks correct, so just paste it to a TXT record in your domain registrar and you should be good. Allow about an hour for replication and you can go to "https://www.kitterman.com/spf/validate.html" website site and enter your email domain and validate the record is found and correct.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Daryl GawnSystem AdministratorCommented:
you can also use a generator to help get it right, such as https://mxtoolbox.com/SPFRecordGenerator.aspx
0
MikejettAuthor Commented:
Sorry, still trying to grasp this...So if a run a mx check on our domain for example: domain.com it resvolves to mail.domain.com at 98.23.23.23

I contacted out domain provider and they have a TXT record of  for example "v=spf1 +ip4:216.240.222.0/23 ~all"  

That  IP belongs to the domain provider.

Shouldn't I have them change it to the 98.23.23.23 mx record?  

Also, on my outgoing LAN mail server, I will have it refer to "v=spf1 mx -all"  in the forward lookup zone

Does this sound about right?
0
Jeff GloverSr. Systems AdministratorCommented:
The SPF record only belongs in the External DNS zone. It served no purpose inside your network. I assume that is what you meant by Forward lookup zone, You said you have 2 domains. Do you have users that send from both domains. Meaning their email addresses are either @domain.com or Domain2.com? If so, you should have mx records in both those external domains pointing to your mail.domain.com A record. The record in domain.com would be a simple mx -all and the one in domain 2 should have an include statement of include:domain.com. Does your "provider" send mail on your behalf> If so,then having that ip address in an SPF is correct. If not. Then no.
  Having an ipv4: entry is mainly if you send mail from an IP other than the one your mx record shows.
0
Daryl GawnSystem AdministratorCommented:
you dont need your domain providers records in your own unless they are sending mail on your behalf, the domain name provider is providing you with DNS services. Are they hosting your mail too?

you need to specify the public IP address your mail sends out on so when any checks are doing filtering will pass it through since it has come from the correct IP

i suggest using the ~all (instead of -all) untill you get it right otherwise it will cause lots of problems with anyone receiving mail from you that does spf checking
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
timgreen7077Exchange EngineerCommented:
I knew this would happen when you have people constantly chiming in, this kills me. Your logic and your SPF record in your question was correct. For example if the IP address from your sending Exchange server is 1.1.1.1 then your SPF setup is:
"v=spf1 mx ip4:1.1.1.1 -all"

Just add the spf to your domain registrar. whatever the sending server IP address is, not the MX record because you can have a different MX record IP, and SPF has to do with sending IP not receiving IP.
0
Jeff GloverSr. Systems AdministratorCommented:
So by your logic, his initial idea of "v=spf1 mx a ip4:192.168.3.234/24 -all" will work? Don't think so. Private IP and subnet mask?  And please, don't insult the rest of us. We are all volunteering time to help others just like you.
0
MikejettAuthor Commented:
timgreen7077,  so the SPF record on the sending exchange server will obviously have it's internal IP.  for example  "v=spf1 mx ip4:192.168.1.1 -all"

I would forward that TXT to the domain registrar as well?
0
timgreen7077Exchange EngineerCommented:
it needs to be the external sending IP, not your internal IP. Internal IPs are not routable on the internet, so what ever your sending external IP is, that is what you would add to the SPF record.
0
timgreen7077Exchange EngineerCommented:
@Jeff, I didn't attempt to insult anyone, but all the different answers are not helpful to the author. It's more confusing than anything, this is a super simple question, and SPF records are super simple, but we have a tenancy to get caught up in symantics and answering 1 question 50 different ways. Anyway I didn't mean to insult anyone. I have offered my suggestion also to the author so I will leave it to you all now.
0
MikejettAuthor Commented:
Thanks to everyone that helped me with this.  I really appreciate everyone's time and consideration
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.