Link to home
Create AccountLog in
Avatar of Mike
MikeFlag for United States of America

asked on

Building and Publishing a SPF record correctly

I am trying build and publish a SPF record correctly.  We have Small Business Server 2011 which has Exchange 2010.  Our domain is hosted by a third party.  We have two domain names, one that points to another.  When creating the SPF,  I will be using the internal IP address  of our SBS that sends mail.  I was going to include the following TXT under my forward lookup zone: "v=spf1 mx a ip4: -all"  I understand that I also need to publish the SPF records with the DNS servers hosting our domain.  My question is,  do I provide my host domain provider the same TXT record I created for my mail server which has my internal IP?
Avatar of Jeremy Weisinger
Jeremy Weisinger

You do not need to configure this internally. This is only used by server receiving mail from your domains. So you will need to specify the public IP address, or if the MX record refers to your email server you can just have this in your public DNS zone:

v=spf1 mx -all
Using an internal IP for an SPF record does not work. You need to use the external address for it if you want to use IP addresses. The way to do it simply is to use the domain name you have for your MX record. Your MX records for the main domain that is. So, if you have and and domainB points to an A record in domainA  for the MX record, you would use SPF for DomainB like. v=spf1 mx -all. For DomainA, you would use v=spf1 mx a ip4:<your external IP address mail comes from> -all
  Using the internal address is useless since it would NAT going out and no one would ever see it as a source.
Yes you are correct. The record you created, you will add to your external DNS registrar like Godaddy or whoever you use. The SPF record is a TXT record, so you would just create a new TXT record in your external DNS and copy and paste the SPF record you created. Your record also looks correct, so just paste it to a TXT record in your domain registrar and you should be good. Allow about an hour for replication and you can go to "" website site and enter your email domain and validate the record is found and correct.
you can also use a generator to help get it right, such as
Avatar of Mike


Sorry, still trying to grasp this...So if a run a mx check on our domain for example: it resvolves to at

I contacted out domain provider and they have a TXT record of  for example "v=spf1 +ip4: ~all"  

That  IP belongs to the domain provider.

Shouldn't I have them change it to the mx record?  

Also, on my outgoing LAN mail server, I will have it refer to "v=spf1 mx -all"  in the forward lookup zone

Does this sound about right?
The SPF record only belongs in the External DNS zone. It served no purpose inside your network. I assume that is what you meant by Forward lookup zone, You said you have 2 domains. Do you have users that send from both domains. Meaning their email addresses are either or If so, you should have mx records in both those external domains pointing to your A record. The record in would be a simple mx -all and the one in domain 2 should have an include statement of Does your "provider" send mail on your behalf> If so,then having that ip address in an SPF is correct. If not. Then no.
  Having an ipv4: entry is mainly if you send mail from an IP other than the one your mx record shows.
Avatar of Daryl Gawn
Daryl Gawn
Flag of New Zealand image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
I knew this would happen when you have people constantly chiming in, this kills me. Your logic and your SPF record in your question was correct. For example if the IP address from your sending Exchange server is then your SPF setup is:
"v=spf1 mx ip4: -all"

Just add the spf to your domain registrar. whatever the sending server IP address is, not the MX record because you can have a different MX record IP, and SPF has to do with sending IP not receiving IP.
So by your logic, his initial idea of "v=spf1 mx a ip4: -all" will work? Don't think so. Private IP and subnet mask?  And please, don't insult the rest of us. We are all volunteering time to help others just like you.
Avatar of Mike


timgreen7077,  so the SPF record on the sending exchange server will obviously have it's internal IP.  for example  "v=spf1 mx ip4: -all"

I would forward that TXT to the domain registrar as well?
it needs to be the external sending IP, not your internal IP. Internal IPs are not routable on the internet, so what ever your sending external IP is, that is what you would add to the SPF record.
@Jeff, I didn't attempt to insult anyone, but all the different answers are not helpful to the author. It's more confusing than anything, this is a super simple question, and SPF records are super simple, but we have a tenancy to get caught up in symantics and answering 1 question 50 different ways. Anyway I didn't mean to insult anyone. I have offered my suggestion also to the author so I will leave it to you all now.
Avatar of Mike


Thanks to everyone that helped me with this.  I really appreciate everyone's time and consideration