Link to home
Start Free TrialLog in
Avatar of Michael Green
Michael GreenFlag for Australia

asked on

How do I set up Sender Pollicy Framework ( SPF) for email domains hosted on Microsoft Exchange 2016 ?

Hi,
My customer has several different email domains hosted on an in-house Microsoft Exchange 2016 server.

How do I set up Sender Policy Framework (SPF) for these domains ?

Note:
 - Exchange is 2016CU16 on Windows 2012 Server
 - The domains DNS zones are hosted with several different registrars
ASKER CERTIFIED SOLUTION
Avatar of Udara Peiris
Udara Peiris
Flag of Sri Lanka image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of David Favor
David Favor
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Michael Green
Michael Green
Flag of Australia image

ASKER

OK - SPF is now setup in my DNS records with the following :
"v=spf1 mx a a:in.hes.trendmicro.com a:mail.mydomain.com a:mail.internode.on.net a:mailgun.org include:mailgun.org -all"

Servers that could be validly sending emails from @mydomain.com
 
in.hes.trendmicro.com              (Trend Micro Hosted Email Security (HES) inbound anti-virus mail server (scans all incoming email)
mail.mydomain.com                   (my on-premise Microsoft Exchange server)
mail.internode.on.net                    (my ISP – for some on premise hardware devices that generate SMTP notification emails)
mailgun.org                                        (for email generated from my externally hosted web site)


However when I test on :
https://mxtoolbox.com/SuperTool.aspx
using the MX Record lookups

It says SPF is now correctly setup BUT :

      

TestResult
DMARC Record PublishedNo DMARC Record found  More Info
DMARC Policy Not EnabledDMARC Quarantine/Reject policy not enabled  More Info
DNS Record PublishedDNS Record found


How do I setup DMARC as well ?
Avatar of David Favor
David Favor
Flag of United States of America image
If you're using in-house MTAs, then your SPF record in your DNS zone file will have ipv4:X.X.X.X entries.

Here's an example zone file snippet describing an SPF record authorizing various sending IPs...

@              IN  TXT      ("v=spf1"
                             " ip4:136.49.241.94"     ; GoogleFiber residential connection
                             " ip4:198.27.112.72/30"  ; net14 IP block - catcher + smtp[1234]
                             " include:mailgun.org"   ; Mailgun Published Netblock
                             " -all")

Open in new window


For in-house MTAs, you'll likely use ipv4 nomenclature or create your own SPF include block.
Avatar of Michael Green
Michael Green
Flag of Australia image

ASKER

@David Favor I'm confused.  Why do I have to use IP addresses rather than the host names I had in my SPF record ?  I actually used the wizard to generate this !
Avatar of Seth Simmons
Seth Simmons
Flag of United States of America image
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Split:
-- 'Udara Peiris' (https:#a43082549)
-- 'David Favor' (https:#a43082573)


If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

seth2740
Experts-Exchange Cleanup Volunteer