I am trying build and publish a SPF record correctly. We have Small Business Server 2011 which has Exchange 2010. Our domain is hosted by a third party. We have two domain names, one that points to another. When creating the SPF, I will be using the internal IP address of our SBS that sends mail. I was going to include the following TXT under my forward lookup zone: "v=spf1 mx a ip4:192.168.3.234/24 -all" I understand that I also need to publish the SPF records with the DNS servers hosting our domain. My question is, do I provide my host domain provider the same TXT record I created for my mail server which has my internal IP?
ExchangeSBSDNS
Last Comment
Mike
8/22/2022 - Mon
Jeremy Weisinger
You do not need to configure this internally. This is only used by server receiving mail from your domains. So you will need to specify the public IP address, or if the MX record refers to your email server you can just have this in your public DNS zone:
v=spf1 mx -all
Jeff Glover
Using an internal IP for an SPF record does not work. You need to use the external address for it if you want to use IP addresses. The way to do it simply is to use the domain name you have for your MX record. Your MX records for the main domain that is. So, if you have domainA.com and domainB.com and domainB points to an A record in domainA for the MX record, you would use SPF for DomainB like. v=spf1 mx include:domainA.com -all. For DomainA, you would use v=spf1 mx a ip4:<your external IP address mail comes from> -all
Using the internal address is useless since it would NAT going out and no one would ever see it as a source.
timgreen7077
Yes you are correct. The record you created, you will add to your external DNS registrar like Godaddy or whoever you use. The SPF record is a TXT record, so you would just create a new TXT record in your external DNS and copy and paste the SPF record you created. Your record also looks correct, so just paste it to a TXT record in your domain registrar and you should be good. Allow about an hour for replication and you can go to "https://www.kitterman.com/spf/validate.html" website site and enter your email domain and validate the record is found and correct.
Sorry, still trying to grasp this...So if a run a mx check on our domain for example: domain.com it resvolves to mail.domain.com at 98.23.23.23
I contacted out domain provider and they have a TXT record of for example "v=spf1 +ip4:216.240.222.0/23 ~all"
That IP belongs to the domain provider.
Shouldn't I have them change it to the 98.23.23.23 mx record?
Also, on my outgoing LAN mail server, I will have it refer to "v=spf1 mx -all" in the forward lookup zone
Does this sound about right?
Jeff Glover
The SPF record only belongs in the External DNS zone. It served no purpose inside your network. I assume that is what you meant by Forward lookup zone, You said you have 2 domains. Do you have users that send from both domains. Meaning their email addresses are either @domain.com or Domain2.com? If so, you should have mx records in both those external domains pointing to your mail.domain.com A record. The record in domain.com would be a simple mx -all and the one in domain 2 should have an include statement of include:domain.com. Does your "provider" send mail on your behalf> If so,then having that ip address in an SPF is correct. If not. Then no.
Having an ipv4: entry is mainly if you send mail from an IP other than the one your mx record shows.
I knew this would happen when you have people constantly chiming in, this kills me. Your logic and your SPF record in your question was correct. For example if the IP address from your sending Exchange server is 1.1.1.1 then your SPF setup is:
"v=spf1 mx ip4:1.1.1.1 -all"
Just add the spf to your domain registrar. whatever the sending server IP address is, not the MX record because you can have a different MX record IP, and SPF has to do with sending IP not receiving IP.
Jeff Glover
So by your logic, his initial idea of "v=spf1 mx a ip4:192.168.3.234/24 -all" will work? Don't think so. Private IP and subnet mask? And please, don't insult the rest of us. We are all volunteering time to help others just like you.
Mike
ASKER
timgreen7077, so the SPF record on the sending exchange server will obviously have it's internal IP. for example "v=spf1 mx ip4:192.168.1.1 -all"
I would forward that TXT to the domain registrar as well?
it needs to be the external sending IP, not your internal IP. Internal IPs are not routable on the internet, so what ever your sending external IP is, that is what you would add to the SPF record.
timgreen7077
@Jeff, I didn't attempt to insult anyone, but all the different answers are not helpful to the author. It's more confusing than anything, this is a super simple question, and SPF records are super simple, but we have a tenancy to get caught up in symantics and answering 1 question 50 different ways. Anyway I didn't mean to insult anyone. I have offered my suggestion also to the author so I will leave it to you all now.
Mike
ASKER
Thanks to everyone that helped me with this. I really appreciate everyone's time and consideration
v=spf1 mx -all