Link to home
Create AccountLog in
Avatar of Michael Green
Michael GreenFlag for Australia

asked on

How do I set up Sender Pollicy Framework ( SPF) for email domains hosted on Microsoft Exchange 2016 ?

Hi,
My customer has several different email domains hosted on an in-house Microsoft Exchange 2016 server.

How do I set up Sender Policy Framework (SPF) for these domains ?

Note:
 - Exchange is 2016CU16 on Windows 2012 Server
 - The domains DNS zones are hosted with several different registrars
ASKER CERTIFIED SOLUTION
Avatar of Udara Peiris
Udara Peiris
Flag of Sri Lanka image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Avatar of Michael Green

ASKER

OK - SPF is now setup in my DNS records with the following :
"v=spf1 mx a a:in.hes.trendmicro.com a:mail.mydomain.com a:mail.internode.on.net a:mailgun.org include:mailgun.org -all"

Servers that could be validly sending emails from @mydomain.com
 
in.hes.trendmicro.com              (Trend Micro Hosted Email Security (HES) inbound anti-virus mail server (scans all incoming email)
mail.mydomain.com                   (my on-premise Microsoft Exchange server)
mail.internode.on.net                    (my ISP – for some on premise hardware devices that generate SMTP notification emails)
mailgun.org                                        (for email generated from my externally hosted web site)


However when I test on :
https://mxtoolbox.com/SuperTool.aspx
using the MX Record lookups

It says SPF is now correctly setup BUT :

      

TestResult
DMARC Record PublishedNo DMARC Record found  More Info
DMARC Policy Not EnabledDMARC Quarantine/Reject policy not enabled  More Info
DNS Record PublishedDNS Record found


How do I setup DMARC as well ?
If you're using in-house MTAs, then your SPF record in your DNS zone file will have ipv4:X.X.X.X entries.

Here's an example zone file snippet describing an SPF record authorizing various sending IPs...

@              IN  TXT      ("v=spf1"
                             " ip4:136.49.241.94"     ; GoogleFiber residential connection
                             " ip4:198.27.112.72/30"  ; net14 IP block - catcher + smtp[1234]
                             " include:mailgun.org"   ; Mailgun Published Netblock
                             " -all")

Open in new window


For in-house MTAs, you'll likely use ipv4 nomenclature or create your own SPF include block.
@David Favor I'm confused.  Why do I have to use IP addresses rather than the host names I had in my SPF record ?  I actually used the wizard to generate this !
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Split:
-- 'Udara Peiris' (https:#a43082549)
-- 'David Favor' (https:#a43082573)


If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

seth2740
Experts-Exchange Cleanup Volunteer