Avatar of Michael Green
Michael Green
Flag for Australia asked on

How do I set up Sender Pollicy Framework ( SPF) for email domains hosted on Microsoft Exchange 2016 ?

Hi,
My customer has several different email domains hosted on an in-house Microsoft Exchange 2016 server.

How do I set up Sender Policy Framework (SPF) for these domains ?

Note:
 - Exchange is 2016CU16 on Windows 2012 Server
 - The domains DNS zones are hosted with several different registrars
ExchangeWindows OSWindows Server 2012DNS

Avatar of undefined
Last Comment
Seth Simmons

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Udara Peiris

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
SOLUTION
David Favor

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Michael Green

ASKER
OK - SPF is now setup in my DNS records with the following :
"v=spf1 mx a a:in.hes.trendmicro.com a:mail.mydomain.com a:mail.internode.on.net a:mailgun.org include:mailgun.org -all"

Servers that could be validly sending emails from @mydomain.com
 
in.hes.trendmicro.com              (Trend Micro Hosted Email Security (HES) inbound anti-virus mail server (scans all incoming email)
mail.mydomain.com                   (my on-premise Microsoft Exchange server)
mail.internode.on.net                    (my ISP – for some on premise hardware devices that generate SMTP notification emails)
mailgun.org                                        (for email generated from my externally hosted web site)


However when I test on :
https://mxtoolbox.com/SuperTool.aspx
using the MX Record lookups

It says SPF is now correctly setup BUT :

      

TestResult
DMARC Record PublishedNo DMARC Record found  More Info
DMARC Policy Not EnabledDMARC Quarantine/Reject policy not enabled  More Info
DNS Record PublishedDNS Record found


How do I setup DMARC as well ?
David Favor

If you're using in-house MTAs, then your SPF record in your DNS zone file will have ipv4:X.X.X.X entries.

Here's an example zone file snippet describing an SPF record authorizing various sending IPs...

@              IN  TXT      ("v=spf1"
                             " ip4:136.49.241.94"     ; GoogleFiber residential connection
                             " ip4:198.27.112.72/30"  ; net14 IP block - catcher + smtp[1234]
                             " include:mailgun.org"   ; Mailgun Published Netblock
                             " -all")

Open in new window


For in-house MTAs, you'll likely use ipv4 nomenclature or create your own SPF include block.
Michael Green

ASKER
@David Favor I'm confused.  Why do I have to use IP addresses rather than the host names I had in my SPF record ?  I actually used the wizard to generate this !
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Seth Simmons

No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Split:
-- 'Udara Peiris' (https:#a43082549)
-- 'David Favor' (https:#a43082573)


If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

seth2740
Experts-Exchange Cleanup Volunteer