SPF record question

Hello!

I have an SBS 2003 SP1 server as my only email server. I want to set up SPF
records.

Per this article http://support.microsoft.com/?id=912716, the recommended
SPF record is as simple as this example.

v=spf1 mx -all

However, creating an SPF record from the Microsoft web site at
http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/default.aspx
comes up with a much more detailed SPF record, such as

v=spf1 ptr ip4:67.x.x.x mx:mail.mydomain.net -all

My current SPF is published in my public DNS as follows:

v=spf1 mx:mydomain.net -all

I recently started getting emails into the IMF that claim to be from my
domain but are not. I have not enabled Sender ID yet. In order to prevent
these emails from being accepted, is my only other step just the
implementation of Sender ID filtering?

Thank you for helping!

Gregg Hill

 

The MS one is right. You can verify this by going here

http://www.openspf.org/

 

Claus,

To which MS one do you refer? The one in this article
http://support.microsoft.com/?id=912716 or the one created at this web site
http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/default.aspx ?

They are both from MS.

Gregg Hill

 

Gregg,

I use the second one, the wizard is the easiest to use, and More Accurate
IMO

Then send what ever you make to where you Host and have them add it as a TXT
Record.
(Some Hosting allows you to do this some I've found don't. I know STUPID)

But it will work for you.

Russ

--

Russell Grover
SBITS.Biz
Microsoft Certified Small Business Specialist.
MCP, MCPS, MCNPS, (MCP-SBS)
support @ SBITS.Biz
Remote SBS2003 Support
http://www.SBITS.Biz

 

Russ,

My current SPF is published in my public DNS as follows:

v=spf1 mx:mydomain.net -all

I recently started getting emails into the IMF that claim to be from my
domain but are not. I have not enabled Sender ID yet. In order to prevent
these emails from being accepted, is my only other step just the
implementation of Sender ID filtering?

Gregg Hill

 

yes you need to check the box
However realize that SPF record only works if the Receiver of the Email
Checks for a SPF record
(Which Most that I've seen Don't)

I still do it, but as far as effective???
Eh!

Russ

--

Russell Grover
SBITS.Biz
Microsoft Certified Small Business Specialist.
MCP, MCPS, MCNPS, (MCP-SBS)
support @ SBITS.Biz
Remote SBS2003 Support
http://www.SBITS.Biz

 

NetSol did not have SPF a few months ago, so I set it up on zoneedit.com
DNS.

Gregg Hill

 

Russ,

Part of the problem is that **I** am the receiver of the email! I started
getting my own domain-spoofed emails about two months ago. I want to
implement SPF filtering for myself, as well as the other seven (ha, ha)
domain admins who have set up their SPF records.

Gregg Hill

 

That's my Point, I set it up, however Not everyone does so it's not a
Standard, and
Effective???

Well Just like Seatbelts, only effective if everyone uses them.

Russ

--

Russell Grover
SBITS.Biz
Microsoft Certified Small Business Specialist.
MCP, MCPS, MCNPS, (MCP-SBS)
support @ SBITS.Biz
Remote SBS2003 Support
http://www.SBITS.Biz

 

Russ,

I understood your point to be that you set it up, with "it" being an SPF
record for your domain and that you have Sender ID enabled on your server.

My last reply was to your "However realize that SPF record only works if the
Receiver of the Email Checks for a SPF record" comment. The point I tried to
get across (with a little attempt at humor) is that I have had my SPF record
set up for a while, but now I am going to enable Sender ID filtering on my
own server, since I am getting emails sent to my domain by non-existent
users of my own domain, which was what I meant by my "**I** am the receiver
of the email!" comment. They are coming from IP addresses that are not mine,
but appear to be from my domain, so they are spoofing my own domain.

I am waiting for my ISP (Southern California Time Warner) to modify my PTR
record, since I changed my mail server firewall's IP address a couple of
days ago. Then I will flip the switch to enable Sender ID and see what
happens.

Actually, having an SPF record is basically the opposite of seatbelts. If
you use a seatbelt, it is already effective for you, regardless of what
others do. If you set up an SPF record, it is only effective for you if the
other guy has Sender ID turned on, unless your own domain gets spoofed as
mine has been and you receive those emails, in which case it is effective
for you as well if you have Sender ID enabled.

It may be a standard, but as you mentioned, lack of adoption means lack of
effectiveness.

Thank you for your comments!

Gregg Hill

 

Well Seat belts help others also.
The drunk that hits you won't get sued for manslaughter

So seatbelts IMO help everyone

(I KNOW Bad analogy I couldn't think of any other.)
Russ

--

Russell Grover
SBITS.Biz
Microsoft Certified Small Business Specialist.
MCP, MCPS, MCNPS, (MCP-SBS)
support @ SBITS.Biz
Remote SBS2003 Support
http://www.SBITS.Biz

 

and the Eh effective is sarcastic..

Like you said, if everyone did standards it would be.
but as you know.. ....

--

Russell Grover
SBITS.Biz
Microsoft Certified Small Business Specialist.
MCP, MCPS, MCNPS, (MCP-SBS)
support @ SBITS.Biz
Remote SBS2003 Support
http://www.SBITS.Biz

 

Hi Gregg,

Thanks for posting in our newsgroup.

I am sorry for the delay due to the weekend.

The two records are all correct.

If the MX record is on a Windows DNS server, the SPF record is as: v=spf1
mx -all

If the MX record is in DNS of ISP, the SPF is as: v=spf1 ptr ip4:67.x.x.x
mx:mail.mydomain.net -all.

Based on my knowledge, an SPF record (Sender Policy Framework) is used to
prevent email forgery and helps identify spam and is configured on the
public DNS server side. At this point, I'm afraid that we have nothing to
do about adding SPF in Exchange Server. Therefore if the public DNS server
you are using for your SMTP domain supports SPF, you can contact your ISP
and ask them to add SPF records for your SMTP domain.

Hope the information helps.

If you need further assistance, please don't hesitate to let me know.

Best regards,

Robert Li(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================

This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
<From: "Gregg Hill" <>
<Subject: SPF record question
<Date: Fri, 13 Jul 2007 00:58:23 -0700
<Lines: 30
<X-Priority: 3
<X-MSMail-Priority: Normal
<X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
<X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
<X-RFC2646: Format=Flowed; Original
<Message-ID: <#>
<Newsgroups: microsoft.public.windows.server.sbs
<NNTP-Posting-Host: rrcs-67-52-120-134.west.biz.rr.com 67.52.120.134
<Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
<Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:50137
<X-Tomcat-NG: microsoft.public.windows.server.sbs
<
<Hello!
<
<I have an SBS 2003 SP1 server as my only email server. I want to set up
SPF
<records.
<
<Per this article http://support.microsoft.com/?id=912716, the recommended
<SPF record is as simple as this example.
<
<v=spf1 mx -all
<
<However, creating an SPF record from the Microsoft web site at
<http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard
/default.aspx
<comes up with a much more detailed SPF record, such as
<
<v=spf1 ptr ip4:67.x.x.x mx:mail.mydomain.net -all
<
<My current SPF is published in my public DNS as follows:
<
<v=spf1 mx:mydomain.net -all
<
<I recently started getting emails into the IMF that claim to be from my
<domain but are not. I have not enabled Sender ID yet. In order to prevent
<these emails from being accepted, is my only other step just the
<implementation of Sender ID filtering?
<
<Thank you for helping!
<
<Gregg Hill
<
<
<

 

Robert,

My MX record is in public DNS (wouldn't do much good if it were private!).
According to this site http://www.openspf.org/ (thank you, Claus!) and
specifically this page http://www.openspf.org/SPF_Record_Syntax of the site,
either SPF record will work in public DNS. BTW, it says to avoid using the
PTR in an SPF record because of "expensive DNS lookups."

You say that you "...have nothing to do about adding SPF in Exchange
Server." The SPF does not go into Exchange, but doesn't Exchange use an SPF
lookup if Sender ID is enabled? In other words, if I have Sender ID
filtering enabled on my Exchange server and some other domain has an SPF
record in the public DNS, then no spoofed email from that domain will be
accepted by my server, correct?

Gregg Hill

 

Russ,

What setting do you use on the Sender ID Filtering tab? Accept, Delete, or
Reject?

My current SPF record is:

v=spf1 mx:mydomain.net -all

Judging from the http://www.openspf.org/SPF_Record_Syntax web page, I could
simply use

v=spf1 mx -all

as well to get the job done. My only mail server is an SBS 2003 server.

Thank you, Russ!

Gregg Hill

 

I accept it,
Because there are very Few People who follow the rules and you will probably
be blocking legit email.

If you were a government or Federal Office or bank I'd say reject.
But most businesses don't like to get mail blocked.

This is what I do, Accept.

Whether it's "BEST" practice
I don't have a clue.
I know others have Opinions on this, and I'm not the smartest person here.
BTW

Russ

--

Russell Grover
SBITS.Biz
Microsoft Certified Small Business Specialist.
MCP, MCPS, MCNPS, (MCP-SBS)
support @ SBITS.Biz
Remote SBS2003 Support
http://www.SBITS.Biz

 

Remember the effective of this
(in my Opinion)

is Not much,
You are better off with IMF/ Open RBL blockers and something even like a
Barracuda Spam Filter.

Since not everyone follows the rules.
However I still set it up on all my servers.
Just to be "Compliant."

Russ

--

Russell Grover
SBITS.Biz
Microsoft Certified Small Business Specialist.
MCP, MCPS, MCNPS, (MCP-SBS)
support @ SBITS.Biz
Remote SBS2003 Support
http://www.SBITS.Biz

 

Russ,

After reading the http://www.openspf.org/ and others until my eyes were
bleeding, I still have some confusion.

When implementing SPF and Sender ID for clients who only have one Exchange
server (most of my clients are on SBS 2003), is there any benefit to having
"~all" vs. "-all" at the end of the record?

I changed my SPF for my SBS server from

v=spf1 mx:mydomain.net -all

to

v=spf1 ip4:67.x.x.x. -all

based upon the comment from this site http://www.openspf.org/ that it saves
DNS lookup time. I only have the one server that sends mail.

Gregg Hill