Skip to main content

SPF Records

To configure Sender ID filtering in Exchange, you must first understand the Sender Policy Framework (SPF) records.
 
SPF records allows software to identify messages that are or are not authorized to use the domain name in the SMTP HELO and MAIL FROM commands, based on information published in a sender policy of the domain owner. Forged return paths are common in e-mail spam. SPF is defined in RFC 4408.
 
SPF records work with sender ID filtering to stop malicious e-mails. The SPF record is a piece of information on the DNS servers that is required by sender ID filtering to determine whether the e-mail message was sent by an authorized server for the specified domain. In simple terms, an SPF record is a listing of authorized SMTP servers for a particular domain or set of domains in the DNS database.
 
Publishing an SPF record in the public DNS allows the recipient SMTP servers to perform a reverse MAIL Exchanger (MX) lookup by cross-referencing the IP addresses of the authorized SMTP servers against that organization’s DNS entry for their domain.

SPF records can be in different formats. Here are a few examples:
 
myvmx.com IN TXT “v=spf1 mx –all”
This indicates that all servers identified by an MX record for the myvmx.com domain are allowed to send e-mails for that domain.
 
v=spf1 mx ip4:192.168.10.10 –all
This SPF record indicates that server 192.168.10.10 identified by an MX record is allowed to send e-mails from my domain.
 
MAIL IN TXT “v=spf1 a –all”
This one indicates that server MAIL is allowed to send e-mails for my domain.
 
myvmx.com IN TXT “v=spf1 ip4:192.168.10.10 –all
This SPF record indicates that a server with the IP address 192.168.10.10 is allowed to send e-mails for the myvmx.com domain.
 
v=spf1 mx mx:mail1.myvmx.com mx:mail2.myvmx.com mx:mail3.myvmx.com –all
Where:
v=spf1 designates that this is an SPF record and it is version 1.
mx mx:mail1.myvmx.com mx:mail2.myvmx.com mx:mail3.myvmx.com means that mail1, mail2 and mail3 are authorized to send and receive e-mails for myvmx.com domain
-all designates that no one besides the IP addresses in myvmx.com’s MX records are authorized to send e-mails.
 

Creating an SPF Record
To create SPF records, you can use Microsoft’s four-step wizard. If you want to use the advanced features of SPF format, you may need to manually edit the SPF record created by this wizard (in this example, myvmx.com).
 
 
2. At Identify Your Domain, enter the domain name for which you want to create a new SPF record and click Start;
 
3. At Display Published DNS Records, you’ll see that the wizard checked the DNS for information about myvmx.com, including existing SPF, MX and A records;
 
4. If an SPF record was found, you can verify its contents and use the remaining steps of the wizard to modify the record. If no SPF record was found, you can use information from the domain’s MX and A records to create a new SPF record. Click Next;
 
5. At Create SPF Record, the wizard prompts you to choose proper options to create SPF records. This step is divided into different sections. Your choices are:
 
Domain Not Used for Sending E-Mail
Check this option if this domain is not used for sending outbound e-mail.
 
Inbound Mail Servers Send Outbound Mail
If your inbound mail servers are also used to send outbound mail, you should add this option to your new SPF record.
 
Outbound Mail Server Addresses
If all the IP addresses listed in A records for your domain in DNS are outbound mail servers, you should include this option in your new SPF record.
 
Reverse DNS Lookup
Check this box if all the reverse DNS records (PTR records) for your domain resolve to outbound e-mail servers.
 
Outsourced Domains
Choose this option if domain’s outbound e-mail is routed through another domain.
 
Direct Mailing Status
If your domain only sends mail directly to its intended recipients (it does not send mail to mailing lists), you should add this attribute to the SPF record.
 
Policy Testing Status
If you wish to publish the SPF record in a “testing” mode where it can be read by others servers but its policies will not be implemented, select this option.
 
Default
Does your domain send e-mail from any IP addresses that are not identified in the above sections? Choose appropriate settings for your environment.
 
Scope
What e-mail identities can this SPF record used to validate. Choose appropriate settings for your environment.
 

6. Click Next;
 
7. At Generate SPF Record, the wizard will provide you with the generated SPF records.
 
For more information please go to:
- SPF Record Syntax:
http://www.openspf.org/SPF_Record_Syntax
- WikiPedia: http://en.wikipedia.org/wiki/Sender_Policy_Framework
 

Comments

Popular posts from this blog

Rolling back a version of ESXi

There is an option in VMware where after you have performed an major upgrade of ESXi you can roll back to your previous version. The benefit of this is that you would not need to reinstall your ESXi and its configuration if you had issues with the new software. I had to do this on one occassion in my lab where I upgraded from 6.5 to 6.7 and my VMs would not run because the CPU was not supported in 6.7. Please remember if you are using ISO method to upgrade ESXi please ensure you select "Upgrade ESXi, preserve VMFS datastore". Selecting "Install ESXi, preserve VMFS datastore" does not mean preserving datastore means retaining ESXi as it will still do a clean install of ESXi. This method does not work for vSphere 7.0 as there are changes to the partitions on the boot device. Below are the steps to roll back to a previous version which is quite straight forward. As always perform an backup of your host configuration before you upgrade or rollback ( KB2042141 ). I have

Configuring ESXi 6 host to send logs to Syslog Server

In my previous post I talked about configuring VMware Syslog server for Windows which is installed and enabled by default on installation of vCenter 6 for Windows. I will now describe the basic configuration that is required on an ESXi 6 host to be able to send logs out to a syslog server using my vCenter as the example. 1) Navigate to your ESXi host within vCenter. Go to "Manage" tab and select "Settings" followed by "Advanced System Settings". Look for the settings "Syslog.global.loghost" and highlight this settings. Click the pencil icon to edit the configuration for this setting. 2) You can now add the host name or ip address of your syslog server/s. You can enter just hostname or IP address, use udp://hostname:514 or ssl://hostname:1514 to be more specific on the port and protocol to be used. If you have multiple hosts then you use the comma (,) to separate each server i.e. udp://192.168.0.1:514,udp://192.168.0.2:514 3)We n

Custom ESXi Image - ISO using PowerCLI

There comes a time when you have purchased a new hardware to run your ESXi software and discover that the installable base media provided by VMware does not include the drivers or the drivers are out of date. In the world of Windows (Plug and Play) it would discover the hardware and prompt you to provide the drivers so that Windows would install/update the drivers for the hardware. For ESXi if the drivers are not present during load time then the hardware will possibly not work. VMware uses VIB (vSphere Installation Bundle) as a way for vendors to distribute their drivers. To install these VIBs you can either use Update Manager or command line (esxcli). Now this is all good but it does mean you have to first install the base ESXi then use one of the steps above to install/update the drivers.   Some people might feel that it is OK to update the drivers using the above methods but what if it was the network card that was the new hardware and you needed new drivers. Without the net