locked
SPF record question RRS feed

  • Question

  • I asked for a number of SPF records to be created including this one (yes, I've modified the real domain and IP - I don't really work for contoso):

    "v=spf1 ip4:x.x.20.20 ~all"

    Using a SPF wizard on their end, the other guys came up with this:

    "v=spf1 a:smtp.contoso.com ip4:x.x.20.20 ~all"

    From: http://old.openspf.org/wizard.html?mydomain=contoso.com

    Question:

    Will that reference to "a:smtp.contoso.com" have a negative effect? Or is that perfectly fine?

    smtp.contoso.com is simply the FQDN of the mail server (external IP of the firewall in fact). I think they considered it as ANOTHER server that might send on behalf of contoso.com.

    Friday, May 6, 2011 5:08 PM

Answers

  • There is no negative affects it's just unecessary.
    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    Friday, May 6, 2011 7:22 PM
  • On Fri, 6 May 2011 17:08:02 +0000, Le Pivert wrote:
     
    >
    >
    >I asked for a number of SPF records to be created including this one (yes, I've modified the real domain and IP - I don't really work for contoso):
    >
    >"v=spf1 ip4:x.x.20.20 ~all"
    >
    >Using a SPF wizard on their end, the other guys came up with this:
    >
    >"v=spf1 a:smtp.contoso.com ip4:x.x.20.20 ~all"
    >
    >From: http://old.openspf.org/wizard.html?mydomain=contoso.com
    >
    >Question:
    >
    >Will that reference to "a:smtp.contoso.com" have a negative effect? Or is that perfectly fine?
    >
    >smtp.contoso.com is simply the FQDN of the mail server (external IP of the firewall in fact). I think they considered it as ANOTHER server that might send on behalf of contoso.com.
     
    If the IP address of smtp.contoso.com is x.x.20.20 then there's no
    need for the a:smtp.contoso.com in the TXT record.
     
    You should have a SPF record for the domain smtp.contoso.com, though.
    That would allow for the checking of spoofed HELO\EHLO data (assuming
    your server identifies itself properly).
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Friday, May 6, 2011 7:42 PM

All replies

  • Yes because during the wizard it asks if there are any other servers other than your mx servers that send mail and they just give an example like "smtp.company.com" If you don't have it just delete the example.

    "Do any other servers send mail from company.com? a: smtp.company.com" (if there is no smtp.company.com you want to delete it)

    For example companies have mx records but they also have mail servers that they use just for outbound so there is no mx records for these so you would want to add them in manually.

     

     

     

     


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    Friday, May 6, 2011 6:41 PM
  • Yes...?

    Meaning "negative effects" or "perfectly fine" (although perhaps unnecessary)?

    Friday, May 6, 2011 7:18 PM
  • There is no negative affects it's just unecessary.
    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    Friday, May 6, 2011 7:22 PM
  • On Fri, 6 May 2011 17:08:02 +0000, Le Pivert wrote:
     
    >
    >
    >I asked for a number of SPF records to be created including this one (yes, I've modified the real domain and IP - I don't really work for contoso):
    >
    >"v=spf1 ip4:x.x.20.20 ~all"
    >
    >Using a SPF wizard on their end, the other guys came up with this:
    >
    >"v=spf1 a:smtp.contoso.com ip4:x.x.20.20 ~all"
    >
    >From: http://old.openspf.org/wizard.html?mydomain=contoso.com
    >
    >Question:
    >
    >Will that reference to "a:smtp.contoso.com" have a negative effect? Or is that perfectly fine?
    >
    >smtp.contoso.com is simply the FQDN of the mail server (external IP of the firewall in fact). I think they considered it as ANOTHER server that might send on behalf of contoso.com.
     
    If the IP address of smtp.contoso.com is x.x.20.20 then there's no
    need for the a:smtp.contoso.com in the TXT record.
     
    You should have a SPF record for the domain smtp.contoso.com, though.
    That would allow for the checking of spoofed HELO\EHLO data (assuming
    your server identifies itself properly).
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Friday, May 6, 2011 7:42 PM
  • Rich,

    Yes, that is one of the SPF records I had created.

    James, Rich,

    Thanks to both of you for the clarification.

    Friday, May 6, 2011 7:50 PM