SPF record in Microsoft DNS

  • Thread starter Thread starter Pat H
  • Start date Start date
P

Pat H

Can anyone share a nice, clear example of a correctly
written SPF record for the domain domain.com with
Microsoft Windows 2000 or 2003 DNS? How about a reverse?
Is it needed? I have read articles all over the internet
on SPF records and tried many formats but none of them
work. None of the examples I can find are for windows and
all of them are very convoluted. Help appreciated!
 
You technically don't need to do reverse DNS but I would highly recommend
it. See RFC 2505 and 2317 if you need some background on why. (I am
assuming you are talking about your public IP and DNS).
As far as publishing SPF records. Just open DNS MMC and add a new "Other
Record Type" to your root FQDN (example.com). Select TXT and if you want
every MX server you have declared for example.com to be able to send mail
for example.com simply put in:

v=spf1 a mx -all

That should cover it. Go to http://spf.pobox.com/wizard.html?mydomain= to
get an idea of what you would need to do. It will walk you through building
your records for your domain.

You should test your set up, I recommend using
http://www.dnsstuff.com/pages/spf.htm to test it remotely. Their regular
site http://www.dnsstuff.com is on of the most useful sites out there for
doing any testing for DNS.

Once you have finished building it out register your domain at:
http://www.infinitepenguins.net/SPF/register.php

Regards,
Ed
 
Ed is correct. I'd like to add that "v=spf1 a mx ptr -all" should cover it
more broadly.

Having said that, do you mind if I ask: why are you doing this NOW? I'm not
saying don't do it, I am just wondering why you feel the need to do it at
this time. For my own educational purposes.

Thanks

--
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - COMPLETE SPAM Protection
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
 
Pat H said:
Can anyone share a nice, clear example of a correctly
written SPF record for the domain domain.com with
Microsoft Windows 2000 or 2003 DNS? How about a reverse?
Is it needed? I have read articles all over the internet
on SPF records and tried many formats but none of them
work. None of the examples I can find are for windows and
all of them are very convoluted. Help appreciated!
Click to expand...


Check this link out:
HOWTO - Define an SPF Record:
http://www.zytrax.com/books/dns/ch9/spf.html

or

Sender Policy Framework (there's a wizard here to help configure):
www.spf.pobox.com


--
--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
 
-----Original Message-----



Check this link out:
HOWTO - Define an SPF Record:
http://www.zytrax.com/books/dns/ch9/spf.html

or

Sender Policy Framework (there's a wizard here to help configure):
www.spf.pobox.com


--
--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
Click to expand...
Hi, I have been all over the spf.pobox.com website. I
have done the wizard and it does not create a record that
dnsreports.com recognizes as existing. It was
dnsreports.com that put onto the spf records in the first
place so I am assuming they know a correctly configured
one when they check for it. That is why I am asking here.
Maybe no one else has gotten one to work yet?

Pat
 
This one did it! Many thanks! Now to go put them into all
my clients domain email DNS zones! Busy day but well
spent. Help appreciated!
-----Original Message-----
You technically don't need to do reverse DNS but I would highly recommend
it. See RFC 2505 and 2317 if you need some background on why. (I am
assuming you are talking about your public IP and DNS).
As far as publishing SPF records. Just open DNS MMC and add a new "Other
Record Type" to your root FQDN (example.com). Select TXT and if you want
every MX server you have declared for example.com to be able to send mail
for example.com simply put in:

v=spf1 a mx -all

That should cover it. Go to
Click to expand...
http://spf.pobox.com/wizard.html?mydomain= to
 
Truthfully, my mailservers have been beaten to a pulp by
spammers. I nearly went nuts trying to run my own
filters. Half my clients were mad at me for losing
legitimate mail and the other half for not filtering
enough. Life was a nightmare at the hands of spammers! I
want to be involved in anything that will help slow down
the miserable #*&%&*@'s or even make their wretched lives
a little more difficult.

Pat

PS - I did solve my spam problems by going to a
professional spam filtering company, but I still want to
get those jerks any way I can.
 
Pat,
Are you still having issues getting SPF to work properly? If so, please
give us a quick domain to look at to see what you have set up, perhaps we
can help you tweak it so it is correct. Please use http://www.dnsstuff.com/
to test your SPF records, it will tell you if things are working. The
wizard on http://spf.pobox.com should build out what you need but can be a
little confusing at first. Tell us what you put in your TXT record for your
domain and we (Deji,Ace, me or others) can give you an idea of what is wrong
potentially.

Regards,
Ed
 
In
Pat H said:
Truthfully, my mailservers have been beaten to a pulp by
spammers. I nearly went nuts trying to run my own
filters. Half my clients were mad at me for losing
legitimate mail and the other half for not filtering
enough. Life was a nightmare at the hands of spammers! I
want to be involved in anything that will help slow down
the miserable #*&%&*@'s or even make their wretched lives
a little more difficult.

Pat

PS - I did solve my spam problems by going to a
professional spam filtering company, but I still want to
get those jerks any way I can.
Click to expand...

SPF won't help your spam problem by much, it will stop them from sending
mail to you from you, and possibly prevent someone from spoofing your
domain, but only if the mail server checks for SPF or MX records in the
first place.
What you need is a mail server that will reject spoofed email, that is where
the mail server sending mail to you does not match the MX or SPF for the
mail domain in the from line.
I just upgraded my mail servers to one that checks these records and now my
mail server rejects hundreds of emails a day from mail servers not
authorized by either MX or SPF to send mail for the domain. So I would say
that the problem is not the lack of an SPF record, but the lack of having a
mail server that checks these and rejects mail on that basis.
 
Interestingly enough, dnsreports.con (from dnsstuff.com)
reports that the record now works fine. The
infinitepenguins.net reports that it is not configured, so
I remain baffled. My test domain is northwindarabians.com.

Thanks!

Pat
 
Understood. I have a public mailserver though, so have to
use a little more discretion than I would for a private
domain. Any shred of aggrevation I can cause a spammer
has just a little satisfaction attached. I do spoof
prevention on my routers but that doesn't keep outside IPs
from reporting our domains as the senders. Have to start
somewhere in fighting these creeps!
 
Pat,
It appears that your set up for northwindarabians.com shows:
"v=spf1 -all"
The -all means:
No servers are allowed to send mail from northwindarabians.com. This is
appropriate for web-only sites.

Is that what you intended for this domain name? Looks like your MX records
are pointing over to Postini for inbound mail to the domain for spam and
virus filtering. If you have an MTA that you use for that domain to send
mail out - even if it is a different FQDN, you should list it in your SPF
configuration. That tells everyone that the other mail server is allowed to
send mail out on behalf of northwindarabians.com. If you have no actual
e-mail addresses (such as <user>@northwindarabians.com) running for this
domain then what you have done is legit. If you have any reason to send
e-mail with a <user>@northwindarabians.com then you will need to modify your
SPF entry.

As far as infintepenguins.net , it shows that you have a record:
Domain: northwindarabians.com

Record Found: v=spf1 -all

No Errors
No Warnings
No Notes
Record is clean!
SPF Domain Added to List
HTH.

Regards,
Ed Horley
 
Thanks for the response, Pat. It's good to know that you were not doing this
simply because you are feeling pressured by all the hooplas surrounding the
various SPF-like proposals.

I am sorry to say, however, that even though your intentions are noble, your
approach will hardly make a dent in the spammer's operations. Kevin is right
(as usual) in his response.

--
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - COMPLETE SPAM Protection
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon



Truthfully, my mailservers have been beaten to a pulp by
spammers. I nearly went nuts trying to run my own
filters. Half my clients were mad at me for losing
legitimate mail and the other half for not filtering
enough. Life was a nightmare at the hands of spammers! I
want to be involved in anything that will help slow down
the miserable #*&%&*@'s or even make their wretched lives
a little more difficult.

Pat

PS - I did solve my spam problems by going to a
professional spam filtering company, but I still want to
get those jerks any way I can.
 
Thank you so much, Ed. I think I am getting the picture.
In fact, I do send mail from northwindarabians.com, so
have removed the -all. I am using my personal domain to
get acquainted with the system then plan to add my
company's public mailservers which contain in excess of
6000 mail boxes. Need to be sure that I have it right
before doing anything that could impact the clients! We
send no mail out through Postini. Wish we could but that
is seriously expensive.

Can you answer another mx record question for me? My
mailserver software puts a "mail." in the reply address of
our boxes. Mine would show as
(e-mail address removed). For my company's zones I
have always used an A record for mail and MX records for
povn.com and mail.povn.com. I have done the same thing
with records both with and without the "mail." for the
Postini MX records. A dig is showing no MX record
for "mail." even though they are there and the result is
lost mail. I do not have this issue on servers not going
through Postini. Ideas?
 
Actually, disregard that last mess. I am pretty sure that
the guy at Postini is tossing me a red herring. I see
nothing wrong with my DNS records, and will not be side-
tracked from the real issue of correct aliasing at Postini.
 
May I ask what software you changed to?

-----Original Message-----
In

SPF won't help your spam problem by much, it will stop them from sending
mail to you from you, and possibly prevent someone from spoofing your
domain, but only if the mail server checks for SPF or MX records in the
first place.
What you need is a mail server that will reject spoofed email, that is where
the mail server sending mail to you does not match the MX or SPF for the
mail domain in the from line.
I just upgraded my mail servers to one that checks these records and now my
mail server rejects hundreds of emails a day from mail servers not
authorized by either MX or SPF to send mail for the domain. So I would say
that the problem is not the lack of an SPF record, but the lack of having a
mail server that checks these and rejects mail on that basis.




.
Click to expand...
 
PS - I did solve my spam problems by going to a
professional spam filtering company, but I still want to
get those jerks any way I can.
Click to expand...

[OT]

Hmm ... no doubt about your filtering solution, but...
did you try using http://assp.sourceforge.net to
filter your mail ? I don't know what's your "situation"
so maybe the ASSP won't be a solution for you, but
it worked for me and for some of my customers and
it worked really well, so .. if you want to give it a spin..

Regards

--

* ObiWan

Microsoft MVP: Windows Server - Networking
http://mvp.support.microsoft.com
http://italy.mvps.org
 
Back
Top