SPF record question

Discussion in 'Windows Small Business Server' started by Gregg Hill, Jul 13, 2007.

  1. Gregg Hill

    Gregg Hill Guest

    Hello!

    I have an SBS 2003 SP1 server as my only email server. I want to set up SPF
    records.

    Per this article http://support.microsoft.com/?id=912716, the recommended
    SPF record is as simple as this example.

    v=spf1 mx -all

    However, creating an SPF record from the Microsoft web site at
    http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/default.aspx
    comes up with a much more detailed SPF record, such as

    v=spf1 ptr ip4:67.x.x.x mx:mail.mydomain.net -all

    My current SPF is published in my public DNS as follows:

    v=spf1 mx:mydomain.net -all

    I recently started getting emails into the IMF that claim to be from my
    domain but are not. I have not enabled Sender ID yet. In order to prevent
    these emails from being accepted, is my only other step just the
    implementation of Sender ID filtering?

    Thank you for helping!

    Gregg Hill
     
    Gregg Hill, Jul 13, 2007
    #1
    1. Advertisements

  2. Gregg Hill

    Claus Guest

    Claus, Jul 14, 2007
    #2
    1. Advertisements

  3. Gregg Hill

    Gregg Hill Guest

    Gregg Hill, Jul 14, 2007
    #3
  4. Gregg,

    I use the second one, the wizard is the easiest to use, and More Accurate
    IMO

    Then send what ever you make to where you Host and have them add it as a TXT
    Record.
    (Some Hosting allows you to do this some I've found don't. I know STUPID)

    But it will work for you.

    Russ

    --

    Russell Grover
    SBITS.Biz
    Microsoft Certified Small Business Specialist.
    MCP, MCPS, MCNPS, (MCP-SBS)
    support @ SBITS.Biz
    Remote SBS2003 Support
    http://www.SBITS.Biz
     
    Russ Grover \(SBITS.Biz\), Jul 14, 2007
    #4
  5. Gregg Hill

    Gregg Hill Guest

    Russ,

    My current SPF is published in my public DNS as follows:

    v=spf1 mx:mydomain.net -all

    I recently started getting emails into the IMF that claim to be from my
    domain but are not. I have not enabled Sender ID yet. In order to prevent
    these emails from being accepted, is my only other step just the
    implementation of Sender ID filtering?

    Gregg Hill
     
    Gregg Hill, Jul 14, 2007
    #5
  6. yes you need to check the box
    However realize that SPF record only works if the Receiver of the Email
    Checks for a SPF record
    (Which Most that I've seen Don't)

    I still do it, but as far as effective???
    Eh!

    Russ

    --

    Russell Grover
    SBITS.Biz
    Microsoft Certified Small Business Specialist.
    MCP, MCPS, MCNPS, (MCP-SBS)
    support @ SBITS.Biz
    Remote SBS2003 Support
    http://www.SBITS.Biz
     
    Russ Grover \(SBITS.Biz\), Jul 14, 2007
    #6
  7. Gregg Hill

    Gregg Hill Guest

    NetSol did not have SPF a few months ago, so I set it up on zoneedit.com
    DNS.

    Gregg Hill
     
    Gregg Hill, Jul 15, 2007
    #7
  8. Gregg Hill

    Gregg Hill Guest

    Russ,

    Part of the problem is that **I** am the receiver of the email! I started
    getting my own domain-spoofed emails about two months ago. I want to
    implement SPF filtering for myself, as well as the other seven (ha, ha)
    domain admins who have set up their SPF records.

    Gregg Hill
     
    Gregg Hill, Jul 15, 2007
    #8
  9. That's my Point, I set it up, however Not everyone does so it's not a
    Standard, and
    Effective???

    Well Just like Seatbelts, only effective if everyone uses them.

    Russ

    --

    Russell Grover
    SBITS.Biz
    Microsoft Certified Small Business Specialist.
    MCP, MCPS, MCNPS, (MCP-SBS)
    support @ SBITS.Biz
    Remote SBS2003 Support
    http://www.SBITS.Biz
     
    Russ Grover \(SBITS.Biz\), Jul 16, 2007
    #9
  10. Gregg Hill

    Gregg Hill Guest

    Russ,

    I understood your point to be that you set it up, with "it" being an SPF
    record for your domain and that you have Sender ID enabled on your server.

    My last reply was to your "However realize that SPF record only works if the
    Receiver of the Email Checks for a SPF record" comment. The point I tried to
    get across (with a little attempt at humor) is that I have had my SPF record
    set up for a while, but now I am going to enable Sender ID filtering on my
    own server, since I am getting emails sent to my domain by non-existent
    users of my own domain, which was what I meant by my "**I** am the receiver
    of the email!" comment. They are coming from IP addresses that are not mine,
    but appear to be from my domain, so they are spoofing my own domain.

    I am waiting for my ISP (Southern California Time Warner) to modify my PTR
    record, since I changed my mail server firewall's IP address a couple of
    days ago. Then I will flip the switch to enable Sender ID and see what
    happens.

    Actually, having an SPF record is basically the opposite of seatbelts. If
    you use a seatbelt, it is already effective for you, regardless of what
    others do. If you set up an SPF record, it is only effective for you if the
    other guy has Sender ID turned on, unless your own domain gets spoofed as
    mine has been and you receive those emails, in which case it is effective
    for you as well if you have Sender ID enabled.

    It may be a standard, but as you mentioned, lack of adoption means lack of
    effectiveness.

    Thank you for your comments!

    Gregg Hill
     
    Gregg Hill, Jul 16, 2007
    #10
  11. Well Seat belts help others also.
    The drunk that hits you won't get sued for manslaughter ;)

    So seatbelts IMO help everyone :)

    (I KNOW Bad analogy I couldn't think of any other.)
    Russ

    --

    Russell Grover
    SBITS.Biz
    Microsoft Certified Small Business Specialist.
    MCP, MCPS, MCNPS, (MCP-SBS)
    support @ SBITS.Biz
    Remote SBS2003 Support
    http://www.SBITS.Biz
     
    Russ Grover \(SBITS.Biz\), Jul 16, 2007
    #11
  12. and the Eh effective is sarcastic..

    Like you said, if everyone did standards it would be.
    but as you know.. .... :(

    --

    Russell Grover
    SBITS.Biz
    Microsoft Certified Small Business Specialist.
    MCP, MCPS, MCNPS, (MCP-SBS)
    support @ SBITS.Biz
    Remote SBS2003 Support
    http://www.SBITS.Biz
     
    Russ Grover \(SBITS.Biz\), Jul 16, 2007
    #12
  13. Hi Gregg,

    Thanks for posting in our newsgroup.

    I am sorry for the delay due to the weekend.

    The two records are all correct.

    If the MX record is on a Windows DNS server, the SPF record is as: v=spf1
    mx -all

    If the MX record is in DNS of ISP, the SPF is as: v=spf1 ptr ip4:67.x.x.x
    mx:mail.mydomain.net -all.

    Based on my knowledge, an SPF record (Sender Policy Framework) is used to
    prevent email forgery and helps identify spam and is configured on the
    public DNS server side. At this point, I'm afraid that we have nothing to
    do about adding SPF in Exchange Server. Therefore if the public DNS server
    you are using for your SMTP domain supports SPF, you can contact your ISP
    and ask them to add SPF records for your SMTP domain.

    Hope the information helps.

    If you need further assistance, please don't hesitate to let me know.

    Best regards,

    Robert Li(MSFT)

    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security

    =====================================================

    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.

    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    <From: "Gregg Hill" <>
    <Subject: SPF record question
    <Date: Fri, 13 Jul 2007 00:58:23 -0700
    <Lines: 30
    <X-Priority: 3
    <X-MSMail-Priority: Normal
    <X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
    <X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
    <X-RFC2646: Format=Flowed; Original
    <Message-ID: <#>
    <Newsgroups: microsoft.public.windows.server.sbs
    <NNTP-Posting-Host: rrcs-67-52-120-134.west.biz.rr.com 67.52.120.134
    <Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
    <Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:50137
    <X-Tomcat-NG: microsoft.public.windows.server.sbs
    <
    <Hello!
    <
    <I have an SBS 2003 SP1 server as my only email server. I want to set up
    SPF
    <records.
    <
    <Per this article http://support.microsoft.com/?id=912716, the recommended
    <SPF record is as simple as this example.
    <
    <v=spf1 mx -all
    <
    <However, creating an SPF record from the Microsoft web site at
    <http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard
    /default.aspx
    <comes up with a much more detailed SPF record, such as
    <
    <v=spf1 ptr ip4:67.x.x.x mx:mail.mydomain.net -all
    <
    <My current SPF is published in my public DNS as follows:
    <
    <v=spf1 mx:mydomain.net -all
    <
    <I recently started getting emails into the IMF that claim to be from my
    <domain but are not. I have not enabled Sender ID yet. In order to prevent
    <these emails from being accepted, is my only other step just the
    <implementation of Sender ID filtering?
    <
    <Thank you for helping!
    <
    <Gregg Hill
    <
    <
    <
     
    Robert Li [MSFT], Jul 16, 2007
    #13
  14. Gregg Hill

    Gregg Hill Guest

    Robert,

    My MX record is in public DNS (wouldn't do much good if it were private!).
    According to this site http://www.openspf.org/ (thank you, Claus!) and
    specifically this page http://www.openspf.org/SPF_Record_Syntax of the site,
    either SPF record will work in public DNS. BTW, it says to avoid using the
    PTR in an SPF record because of "expensive DNS lookups."

    You say that you "...have nothing to do about adding SPF in Exchange
    Server." The SPF does not go into Exchange, but doesn't Exchange use an SPF
    lookup if Sender ID is enabled? In other words, if I have Sender ID
    filtering enabled on my Exchange server and some other domain has an SPF
    record in the public DNS, then no spoofed email from that domain will be
    accepted by my server, correct?

    Gregg Hill
     
    Gregg Hill, Jul 16, 2007
    #14
  15. Gregg Hill

    Gregg Hill Guest

    Russ,

    What setting do you use on the Sender ID Filtering tab? Accept, Delete, or
    Reject?

    My current SPF record is:

    v=spf1 mx:mydomain.net -all

    Judging from the http://www.openspf.org/SPF_Record_Syntax web page, I could
    simply use

    v=spf1 mx -all

    as well to get the job done. My only mail server is an SBS 2003 server.

    Thank you, Russ!

    Gregg Hill
     
    Gregg Hill, Jul 19, 2007
    #15
  16. I accept it,
    Because there are very Few People who follow the rules and you will probably
    be blocking legit email.

    If you were a government or Federal Office or bank I'd say reject.
    But most businesses don't like to get mail blocked.

    This is what I do, Accept.

    Whether it's "BEST" practice
    I don't have a clue.
    I know others have Opinions on this, and I'm not the smartest person here.
    BTW :)

    Russ

    --

    Russell Grover
    SBITS.Biz
    Microsoft Certified Small Business Specialist.
    MCP, MCPS, MCNPS, (MCP-SBS)
    support @ SBITS.Biz
    Remote SBS2003 Support
    http://www.SBITS.Biz
     
    Russ Grover \(SBITS.Biz\), Jul 19, 2007
    #16
  17. Remember the effective of this
    (in my Opinion)

    is Not much,
    You are better off with IMF/ Open RBL blockers and something even like a
    Barracuda Spam Filter.

    Since not everyone follows the rules.
    However I still set it up on all my servers.
    Just to be "Compliant."

    Russ

    --

    Russell Grover
    SBITS.Biz
    Microsoft Certified Small Business Specialist.
    MCP, MCPS, MCNPS, (MCP-SBS)
    support @ SBITS.Biz
    Remote SBS2003 Support
    http://www.SBITS.Biz
     
    Russ Grover \(SBITS.Biz\), Jul 19, 2007
    #17
  18. Gregg Hill

    Gregg Hill Guest

    Russ,

    After reading the http://www.openspf.org/ and others until my eyes were
    bleeding, I still have some confusion.

    When implementing SPF and Sender ID for clients who only have one Exchange
    server (most of my clients are on SBS 2003), is there any benefit to having
    "~all" vs. "-all" at the end of the record?

    I changed my SPF for my SBS server from

    v=spf1 mx:mydomain.net -all

    to

    v=spf1 ip4:67.x.x.x. -all

    based upon the comment from this site http://www.openspf.org/ that it saves
    DNS lookup time. I only have the one server that sends mail.

    Gregg Hill
     
    Gregg Hill, Jul 23, 2007
    #18
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.