[jaxisland]

I am looking on info/advice on setting up a SPF record on my exchange 2003 server.

If anyone has done this before I would appreciate any advice.

Thanks

[Advertisements]

WOOOHOOO i get to help again!! i HAVE set one up that works for my domain... go to http://openspf.org/ they have some great tools but in a nutshell you put a txt record in your DNS (this is the DNS that everyone else in the world sees...so..your external DNS not internal...if you've got external) mine looks like this

"v=spf1 mx a:<A record for my OWA> -all"

as a breakdown
v=spf1 tells it what version of spf to use
MX says that anything listed as MX for my domain should be allowed
A: is to allow any A (host) records that you have in DNS to be allowed as well (such as a secondary mail server that's not in MX..)
-all means that it's a "hardfail" basically meaning anything that's not listed as an MX record or my specific A record (mentioned in the spf record) is automatically deemed nongenuine... you can use ?all to make this a softfail wich will say "i'm pretty sure that this isn't genuine...but i'll let the recipient decide" ~all does something...but i can't remember what... the most effective is the -all because with the other options...the mail still goes through...so it's pretty ineffective.

you can also designate other domain's MX records to be relays with extra MX entries (such as MX:<myothercompany.com>)

[dsenette]

WOOOHOOO i get to help again!! i HAVE set one up that works for my domain... go to http://openspf.org/ they have some great tools but in a nutshell you put a txt record in your DNS (this is the DNS that everyone else in the world sees...so..your external DNS not internal...if you've got external) mine looks like this

"v=spf1 mx a:<A record for my OWA> -all"

as a breakdown
v=spf1 tells it what version of spf to use
MX says that anything listed as MX for my domain should be allowed
A: is to allow any A (host) records that you have in DNS to be allowed as well (such as a secondary mail server that's not in MX..)
-all means that it's a "hardfail" basically meaning anything that's not listed as an MX record or my specific A record (mentioned in the spf record) is automatically deemed nongenuine... you can use ?all to make this a softfail wich will say "i'm pretty sure that this isn't genuine...but i'll let the recipient decide" ~all does something...but i can't remember what... the most effective is the -all because with the other options...the mail still goes through...so it's pretty ineffective.

you can also designate other domain's MX records to be relays with extra MX entries (such as MX:<myothercompany.com>)

[dsenette]

it should also be noted...that not alot of people are using spf at the moment (except for spammers) so right now this is kind of a CYA kind of deal and will at least give you a venue for proving that the mail didn't really come from you if something does get spoofed

[jaxisland]

"v=spf1 mx ~all"


That is what spf.org spit out for me. I have one exchange server and two dns servers. BUT our domainname.com is hosted out of house by a third party with their own dns servers.

Would that code cover me so that just the people in my dns can send?

My knowledge starts to get thin around this area, so I appreciate the help.

Thanks

[dsenette]

well...here's a rundown on spf and how it works...as far as your internal network goes (for sending mail)...it does squat...but when y ou send mail out to someone who check spf records (not that many at the moment) their mailsystem will do an extra dns query to check the spf record...if the mail they recieve...has your domain name on it...but the ip doesn't match the spf record in dns...the mail will get rejected...

i would suggest changing the ~ to - (there is a difference)...and the record needs to be added to the same DNS that controlls your MX record...

i.e. i use at&t for my t1...they manage my DNS info (i've got internal dns servers as well...but that's for internal stuff)...i've got a management portal with at&t MIS that lets me modify my own dns records...
so basically wherever your MX record is being hosted...is where you need to put the spf record...so if this outside company that's hosting your domain name...also has your MX record...then that's where you need to put the SPF record

[jaxisland]

I have my MX record on my server in house here.

I will add it to that dns server. Will this cause major problems if its not done correctly?

[jaxisland]

I added it, but now how do I know its working and not causing problems?

I used:

v=spf1 mx -all

Thanks

FYI- DNSreports.com still says I dont have a SPF record?

Any ideas?

Edited by jaxisland, 02 October 2006 - 11:41 AM.

[dsenette]

it won't cause any issues if it's done correctly...unless you're sending mail out to someone who check's SPF records...but the record you posted shouldn't cause any issues because all it's saying is "if the mail didn't come from this domain's MX record...don't accept it"...if you like...you could pm me an email address on the domain and i can try to spoof an email

[jaxisland]

I sent you a PM.

Thanks

[dsenette]

sent one back...hehe..

[jaxisland]

There is something going on with the people who host our website, so I am contacting them to look into this some more.

Thanks