How to implement SPF

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Good Day,

I have been asked to add a specific SPF entry to my dns server (Windows
2KSP3). Currently we do not use SPF records at all. We have been asked to
implement the record because we will be having a business partner sending
email on behalf of us. We will also be sending mail from our own mail
server. I have been asked to add the following text.

"v=spf1 mx a:server.domain.com -all"

Can someone please explain to me how I can add this record in the Microsoft
DNS Console for Windows 2000 Server (SP3)? Will I have to add an SPF record
for my own server which is currently sending and receiving mail from the
internet? If I only add the above record, will this prevent me from sending
mail from my own mx (mail server)?

Thank you very much.

Matthew
 
The SPF record is just a TXT record type in DNS. You just
add a text record for your domain with what you've listed as
the quoted value.

Whether mail is rejected due to SPF depends on two things:

1) Whether the receiver checks SPF at all,
2) If so, whether the check succeeds.

If you send intra-domain e-mail using SMTP and you look
for SPF, you should bypass the SPF check for that mail in
your server, or make sure that your DNS lists your internal
LAN address so that the MX-to-A check succeeds.

I probably recommend the former, with a separate
blocking rule to prevent outside senders from getting
through by forging an inside e-mail address. This depends
on the specific mail server software of course.

You should upgrade to SP4 BTW.

Steve Duff, MCSE, MVP
Ergodic Systems, Inc.
 
In
Matthew C. said:
Good Day,

I have been asked to add a specific SPF entry to my dns
server (Windows 2KSP3). Currently we do not use SPF
records at all. We have been asked to implement the
record because we will be having a business partner
sending email on behalf of us. We will also be sending
mail from our own mail server. I have been asked to add
the following text.

"v=spf1 mx a:server.domain.com -all"

Can someone please explain to me how I can add this
record in the Microsoft DNS Console for Windows 2000
Server (SP3)?
Click to expand...
In the domain zone you want the record for, right click select new other
records, then select TXT then paste "v=spf1 mx a:server.domain.com -all"
(without the quotes)


Will I have to add an SPF record for my
own server which is currently sending and receiving mail
from the internet?
Click to expand...

If you do not have your mail server listed in the SPF record, some mail
servers will not accept mail from it from the domain the SPF record is for.
You will need to add your mail server to the SPF or use the mail server
listed in the SPF as a smart host (relay) for your mail server.

If I only add the above record, will
this prevent me from sending mail from my own mx (mail
server)?
Click to expand...

Yes to some SMTP servers anyway, only the ones that check SPF records. (AOL
and a few others, including mine)
For instance, if you try to send mail to me without a valid MX or SPF my
mail server will reject saying:
"Sender IP <yoursmtpserveripaddress> does not legitimately deliver for
domain <yourmaildomain>"

You should set your mail server as the MX server with the other server's IP
address listed.
 
Thanks Kevin,

I have been given two suggestions from different online wizards on how to
denote the only two servers who will be sending email from my domain.

We currently have an mx record for mymailserver.mydomain.com which sends and
receives mail. In addition, we will be sending mail on behalf of mydomain by
server.partnernetwork.com.

"v=spf1 mx include:server.partnernetwork.com -all"

and

"v=spf1 mx mx:mymailserver.mydomain.com include:server.partnernetwork.com
-all"

I don't understand the difference between the two. Can you explain? Will
both of these statements work on MS DNS?

Thanks,

Matthew
 
In
Matthew C. said:
Thanks Kevin,

I have been given two suggestions from different online
wizards on how to denote the only two servers who will be
sending email from my domain.

We currently have an mx record for
mymailserver.mydomain.com which sends and receives mail.
In addition, we will be sending mail on behalf of
mydomain by server.partnernetwork.com.

"v=spf1 mx include:server.partnernetwork.com -all"
Click to expand...

This one is missing your MX server
and

"v=spf1 mx mx:mymailserver.mydomain.com
include:server.partnernetwork.com -all"
Click to expand...

This one has your MX server and server.partnernetwork.com can also send mail
for your domain.
I don't understand the difference between the two. Can
you explain? Will both of these statements work on MS
DNS?
Click to expand...

The question is not if the statement will work on MS DNS, because MS DNS can
publish this record. The real question is, will mail servers that check SPF
understand what the SPF states?
That is upto the particular SMTP server software, there is a format for SPF
records, as for if SMTP servers will follow the format is a question that
cannot be answered by me.
That's the problem with SPF, you have no control over another's SMTP server
and cannot force it to accept mail from you, not matter what you do. Some
SMTP servers will not accept mail from a SMTP server that does not have a MX
record for the sending domain.
In other words if smtp.example.com sends mail from test.com, _BUT_
smtp.example.com is not an MX server for test.com, some mail servers will
reject mail from test.com if the delivering SMTP server is smtp.example.com.
 
Thank you.

Can anyone tell me what the difference is between these two DNS records?

"v=spf1 mx include:server.partnernetwork.com -all"

"v=spf1 mx mx:mymailserver.mydomain.com include:server.partnernetwork.com
-all"
 
Back
Top