none
Exchange 2013 - Looking for help to configure correct SPF record to stop spoofed-domain emails

    Question

  • Hi All, hope you are fine and doing well.

    I am looking for some help to configure SPF record for our domain. I am using mydomain.com as an example.

    We have Exchange server 2013 mail server in our domain.

    Current SPF records: we have two SPF records as per mxtoolbox.com.

    spf:mydomain.com is "v=spf1 a:mail.mydomain.com a:mailservername.mydomain.com mx:mydomain.com -all"

    spf:mail.mydomain.com is "v=spf1 mx –all"

    Both of the records are showing “SPF Record Depreciated” in mxtoolbox.com.

    Now, recently we came across email sending issue to one external domain as emails were getting rejected by that domain because of our SPF records. When I contacted other domain support, they said they are looking for following SPF record of our domain.

     

    v=spf1 include:mydomain.com ~all

     

    Now we are also facing issue with spoofed-domain emails. Emails coming from outside world with our domain address like it came from our own domain, and we want to stop it.

     

    (1)  (1) Should we maintain a new SPF record for the domain mydomain.com or mail.mydomain.com or for both?

    (2)  (2) Do we need to remove current SPF records and add new and correct SPF records?

    (3)  (3) What is the SPF records we need to create?

    Is it "v=spf1 mx a:mail.mydomain.com –all" or "v=spf1 mx a:mydomain.com –all" ?

    (4)  (4) The one SPF record other domain-support advised “v=spf1 include:mydomain.com ~all”, should we need to add that too? Can we use -all option instead of ~all to reject emails coming from outside world using our domain address (spoofed-domain emails)?

    Thanks for your help.

    Monday, June 20, 2016 2:10 AM

Answers

  • 1) The SPF record applies to the mail domain.  The first one applies to mail sent from @mydomain.com addresses and the second from @mail.mydomain.com addresses.  I suspect that you do not need the second one because you probably don't use that e-mail domain. 

    2) You don't have to delete the record, you can change it if you want.

    3) You'll need to figure that out because we don't know your e-mail infrastructure.  Here's a good reference I use.

    http://www.openspf.org/SPF_Record_Syntax

    4) Read the reference and maybe this will be more clear to you.  This question isn't one we can answer.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Monday, June 20, 2016 6:48 PM
    Moderator