SPF Record for our domain. Exchange 2010, domain hosted with heartinternet.uk

rookeydooks
rookeydooks used Ask the Experts™
on
Help with SPF Record for our domain.

We have an internal Exchange 2010 for our email and our domain is hosted with Heart Internet.

Our MX record has an IP address, eg: 123.123.123.123
Our main gateway is, eg: 123.123.123.124
Our domain eg: corporate.com

On heart Internet (heartinternet.uk) I have created a new TXT Record and entered:

v=spf1 a: corporate.com ip4:123.123.123.123 ~all

mxtoolbox now finds the spf record >> v=spf1 a: corporate.com ip4:123.123.123.123 ~all

Is that all I need to do? Is there anything I need to do on our internal exchange or DNS servers?

We still have a company rejecting our emails saying we don’t have an SPF record. No one else has reported this.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Rajkumar DuraisamyIT Service Manager
Top Expert 2012

Commented:
which IP address sends email to internet ?
SteveArchitect/Designer

Commented:
your SFP (txt) record needs adding to your domain DNS, not your internet (although they would add an rDNS entry for other reasons)

Login into your DNS/DOmain control panel and apply the SPF record there.

Worth noting that using  ~all at the end of your SFP is not supported by some recipients, as that setting basically means 'I'm not entirely sure where all my mail comes from so please be suspicious if it isn't fr the listed addresses, but accept it anyway'

i'd recommend chekcing where all your mail sources are and adding their IPs too.
e.g.
v=spf1 a: corporate.com mx ip4:123.123.123.123 -all

This also adds MX records and sets -all to say anything not listed here should be rejected.
Rajkumar DuraisamyIT Service Manager
Top Expert 2012

Commented:
Heart Internet mentioned it will take 24 hours for the changes to become active..

https://www.heartinternet.uk/support/article/how-do-i-add-spf-records-to-my-site.html

Also.. see the suggestion based on the service you are using from them..
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
I've just sent myself an email to gmail and when i look in the original email the only reference to our IP addresses is our gateway IP

Received: from server.corporate.com (unknown [123.123.123.124]) by..................

123.123.123.124 is our main gateway address all our internet goes out on.
123.123.123.123 is what our MX is listed as.
Rajkumar DuraisamyIT Service Manager
Top Expert 2012

Commented:
add 124 IP as well then..

v=spf1 a:yourdomain.com ip4:123.123.123.124 ip4:123.123.123.123 ~all

Recipient server will look for the IP which is sending email to internet and whether the IP address added in the domain SPF record
MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017

Commented:
-->I've just sent myself an email to gmail and when i look in the original email the only reference to our IP addresses is our gateway IP
Then you can have to check your internal to external NAT.
You are supposed to add only mail exchange server public IP not the gateway/router/firewall IP. If you add gateway/router IP and if one PC is infected in network you have to change IP and you have to wait till the DNS change in propagated.

v=spf1 a: corporate.com mx ip4:123.123.123.123 -all.
This is enough
if you want softfail you can use the below
v=spf1 a: corporate.com mx ip4:123.123.123.123 ~all

Author

Commented:
Would this be correct then?

v=spf1 a: corporate.com mx ip4:123.123.123.123 mx ip4:123.123.123.124 -all
nociSoftware Engineer
Distinguished Expert 2018

Commented:
Be sure that your mail server identifies with the right DNS entry...
(Also the reverse lookup, which needs to be done with your ISP).

Commented:
123.123.123.123 will be the default...

this is correct

mxtoolbox now finds the spf record >> v=spf1 a: corporate.com ip4:123.123.123.123 ~all

just you have to add TXT entry on hosting  DNS  point to

v=spf1 a: corporate.com ip4:123.123.123.123 ~all

thats it
Rajkumar DuraisamyIT Service Manager
Top Expert 2012

Commented:
Would this be correct then?

v=spf1 a: corporate.com mx ip4:123.123.123.123 mx ip4:123.123.123.124 -all


No. it has to be like

v=spf1 a mx ip4:123.123.123.124 -all

value a refers to current domain like corporate.com where the TXT record created..

MX refer the MX record - Your MX already includes 123.123.123.123.. so the work mx alone enough..
MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017

Commented:
I am with Steve's comment.

if you want to do it by yourself please check this
https://www.spfwizard.net/

Author

Commented:
Thanks everyone. I'll try your suggestions and report back in a day or so once the changes have updated.

spfwizard.net gave me:

v=spf1 mx a ip4:123.123.123.123 a:123.123.123.124 -all
Rajkumar DuraisamyIT Service Manager
Top Expert 2012

Commented:
a:123.123.123.124 ? Change that to ip4:123.123.123.124
nociSoftware Engineer
Distinguished Expert 2018

Commented:
If you KNOW 123.123.123.123 & 123.123.123.124 are your addresses then help the other mailers by excluding a & mx as they add NO value, just delays due to unneeded DNS lookups.

so v=spf1 ip4:123.123.123.123 ip4:123.123.123.124 -all  should be OK.
If you also send mail from an external webserver or some other site also add those addresses.
SteveArchitect/Designer

Commented:
Agree with Noci. Don't add anything you don't feel is necessary.

Ideally, seek clarification on all possible sources of mail from your @domain.com. if you are confident you have everything put it in the SFP and use -all at the end.

if you are unsure, add tings like MX and any A records you feel may be needed too, but only if you think they may be sending mail.

If you are genuinely unsure where mail comes from, you could put ~all at the end (known as a 'softfail'), many junkmail filters now treat this very suspiciously as noted in my earlier comment so I'd recommend against this unless you have no choice.

If you're really struggling PM one of us with your domain name and we can take a look at your public DNS records and SPF (if you've got it working) if you'd like.
SteveArchitect/Designer

Commented:
Right. we've had a chat on private messages and it appears outgoing mail goes via a smarthost fro Opal (now Talktalk).
SPF is in place correctly but doesn't currently include the smarthost IPs.

OP is seeking details from them on what their IPs are so he can add to the SPF.
nociSoftware Engineer
Distinguished Expert 2018

Commented:
Assuming it is  this talktalk:
talktalk.co.uk.         300     IN      TXT     "v=spf1 redirect=talktalkplc.com"
talktalkplc.com.        300     IN      TXT     "v=spf1 a include:_netblocks.talktalkplc.com include:_netblocks2.talktalkplc.com include:_spf.salesforce.com include:servers.mcsv.net include:spf.protection.outlook.com -all"


so an include:talktalkplc.com should be added to get
v=spf1 ip4:123.123.123.123 ip4:123.123.123.124  include:talktalkplc.com -all

Author

Commented:
Still waiting to hear back from TalkTalk.

The talktalk domain is opal-solutions.com. Mail route smtp.opal-solutions.com:25

Should i try v=spf1 ip4:123.123.123.123 ip4:123.123.123.124  include:opal-solutions.com -all
nociSoftware Engineer
Distinguished Expert 2018

Commented:
That wont work as this fails:
 dig txt opal-solutions.com
; <<>> DiG 9.14.7 <<>> txt opal-solutions.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1669
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: f61a77a7f2c6746166a533275db30a704eee5f34c9dcb040 (good)
;; QUESTION SECTION:
;opal-solutions.com.            IN      TXT

;; AUTHORITY SECTION:
opal-solutions.com.     900     IN      SOA     dns02.opal-solutions.com. hostmaster.opal-solutions.com. 2019101401 14400 3600 864000 7200

;; Query time: 16 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Oct 25 16:45:04 CEST 2019
;; MSG SIZE  rcvd: 128

Open in new window

They have no spf on that domain...

IF (big IF)  they use smtp.opal-solutions.com also for outgoing mail Then the following may work:
v=spf1 ip4:123.123.123.123 ip4:123.123.123.124  a:smtp.opal-solutions.com -all
SteveArchitect/Designer

Commented:
no, you need to know that IPs their mail servers use. you have the address of one of them but we don't know if they have more or its just that one.
Best see if they provide a reply. we could always just add the one we know about while you're waiting :-)
nociSoftware Engineer
Distinguished Expert 2018

Commented:
smtp.opal-solutions.com translates to 2 IPv4 addresses.  And there is a BIG IF in front of it, they NEED to be the ip addresses used for outgoing mail.
If they are not... it won't work obviously.

The better solution would be if opal-solutions.com does publish their SPF records. (and a mail service provider that doesn't have them clearly is missing some basic understanding about it's products).
 (was first @steve as i thought he responded to my message)
SteveArchitect/Designer

Commented:
@noci

sorry but i have no idea you are referring to smtp.opal-solutions.com or why you apoear to be telling me about it.
i havent suggested the OP use that fqdn.
I finally got through to someone at TalkTalk who has created a PTR record for one of our IP 123.123.123.124.

Ptr:123.123.123.124

We had to create a mail.ourdomain.com record with the same IP 123.123.123.124 at HeartInternet

Email has been flowing almost perfectly. If I send myself an email to my personal Gmail account now it shows as:

SPF:      PASS with IP 123.123.123.124

BEFORE It used to show as:

SPF:      SOFTFAIL with IP 123.123.123.124

So think I am getting closer.

As I said, almost all email is going through fine now. I get the 2 or 3 a day that don’t send and get an Undeliverable with the following errors:

Connection timed out: Retry pending

Helo command rejected: Host not found (in reply to RCPT TO command) Retry pending.

Can anyone help or advise on these errors.
nociSoftware Engineer
Distinguished Expert 2018
HELO issue: the hostname you present AFTER helo should be the same at the reverse lookup of 123.123.123.124.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial