Building and Publishing a SPF record correctly

Mikejett
Mikejett used Ask the Experts™
on
I am trying build and publish a SPF record correctly.  We have Small Business Server 2011 which has Exchange 2010.  Our domain is hosted by a third party.  We have two domain names, one that points to another.  When creating the SPF,  I will be using the internal IP address  of our SBS that sends mail.  I was going to include the following TXT under my forward lookup zone: "v=spf1 mx a ip4:192.168.3.234/24 -all"  I understand that I also need to publish the SPF records with the DNS servers hosting our domain.  My question is,  do I provide my host domain provider the same TXT record I created for my mail server which has my internal IP?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Jeremy WeisingerSenior Network Consultant / Engineer

Commented:
You do not need to configure this internally. This is only used by server receiving mail from your domains. So you will need to specify the public IP address, or if the MX record refers to your email server you can just have this in your public DNS zone:

v=spf1 mx -all
Jeff GloverSr. Systems Administrator

Commented:
Using an internal IP for an SPF record does not work. You need to use the external address for it if you want to use IP addresses. The way to do it simply is to use the domain name you have for your MX record. Your MX records for the main domain that is. So, if you have domainA.com and domainB.com and domainB points to an A record in domainA  for the MX record, you would use SPF for DomainB like. v=spf1 mx include:domainA.com -all. For DomainA, you would use v=spf1 mx a ip4:<your external IP address mail comes from> -all
  Using the internal address is useless since it would NAT going out and no one would ever see it as a source.
timgreen7077Exchange Engineer
Distinguished Expert 2018

Commented:
Yes you are correct. The record you created, you will add to your external DNS registrar like Godaddy or whoever you use. The SPF record is a TXT record, so you would just create a new TXT record in your external DNS and copy and paste the SPF record you created. Your record also looks correct, so just paste it to a TXT record in your domain registrar and you should be good. Allow about an hour for replication and you can go to "https://www.kitterman.com/spf/validate.html" website site and enter your email domain and validate the record is found and correct.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Daryl GawnSystem Administrator

Commented:
you can also use a generator to help get it right, such as https://mxtoolbox.com/SPFRecordGenerator.aspx

Author

Commented:
Sorry, still trying to grasp this...So if a run a mx check on our domain for example: domain.com it resvolves to mail.domain.com at 98.23.23.23

I contacted out domain provider and they have a TXT record of  for example "v=spf1 +ip4:216.240.222.0/23 ~all"  

That  IP belongs to the domain provider.

Shouldn't I have them change it to the 98.23.23.23 mx record?  

Also, on my outgoing LAN mail server, I will have it refer to "v=spf1 mx -all"  in the forward lookup zone

Does this sound about right?
Jeff GloverSr. Systems Administrator

Commented:
The SPF record only belongs in the External DNS zone. It served no purpose inside your network. I assume that is what you meant by Forward lookup zone, You said you have 2 domains. Do you have users that send from both domains. Meaning their email addresses are either @domain.com or Domain2.com? If so, you should have mx records in both those external domains pointing to your mail.domain.com A record. The record in domain.com would be a simple mx -all and the one in domain 2 should have an include statement of include:domain.com. Does your "provider" send mail on your behalf> If so,then having that ip address in an SPF is correct. If not. Then no.
  Having an ipv4: entry is mainly if you send mail from an IP other than the one your mx record shows.
System Administrator
Commented:
you dont need your domain providers records in your own unless they are sending mail on your behalf, the domain name provider is providing you with DNS services. Are they hosting your mail too?

you need to specify the public IP address your mail sends out on so when any checks are doing filtering will pass it through since it has come from the correct IP

i suggest using the ~all (instead of -all) untill you get it right otherwise it will cause lots of problems with anyone receiving mail from you that does spf checking
timgreen7077Exchange Engineer
Distinguished Expert 2018

Commented:
I knew this would happen when you have people constantly chiming in, this kills me. Your logic and your SPF record in your question was correct. For example if the IP address from your sending Exchange server is 1.1.1.1 then your SPF setup is:
"v=spf1 mx ip4:1.1.1.1 -all"

Just add the spf to your domain registrar. whatever the sending server IP address is, not the MX record because you can have a different MX record IP, and SPF has to do with sending IP not receiving IP.
Jeff GloverSr. Systems Administrator

Commented:
So by your logic, his initial idea of "v=spf1 mx a ip4:192.168.3.234/24 -all" will work? Don't think so. Private IP and subnet mask?  And please, don't insult the rest of us. We are all volunteering time to help others just like you.

Author

Commented:
timgreen7077,  so the SPF record on the sending exchange server will obviously have it's internal IP.  for example  "v=spf1 mx ip4:192.168.1.1 -all"

I would forward that TXT to the domain registrar as well?
timgreen7077Exchange Engineer
Distinguished Expert 2018

Commented:
it needs to be the external sending IP, not your internal IP. Internal IPs are not routable on the internet, so what ever your sending external IP is, that is what you would add to the SPF record.
timgreen7077Exchange Engineer
Distinguished Expert 2018

Commented:
@Jeff, I didn't attempt to insult anyone, but all the different answers are not helpful to the author. It's more confusing than anything, this is a super simple question, and SPF records are super simple, but we have a tenancy to get caught up in symantics and answering 1 question 50 different ways. Anyway I didn't mean to insult anyone. I have offered my suggestion also to the author so I will leave it to you all now.

Author

Commented:
Thanks to everyone that helped me with this.  I really appreciate everyone's time and consideration

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial