locked
SPF record vs KEMP Load Balancer vs DNS records - how to configure it? RRS feed

  • Question

  • Hi guys. Please dont send me to kemp forum, i do not understand their instructions (they are not clear and not very detailed).
    I got 2 domains. One is mine test env with EX.
    I wanted to use SPF record so i added there my IPs of email servers. Record is ok.
    Second domain is not mine, i can not really change anything there but it got SPF too.

    Now when i send email between this domains (from the real production one which got connector to my test domain and not works via the internet), in logs i got Loadbalancer IP not my real exchange server. According to this, in email header i got smth like this:

    Received-SPF: SoftFail (IRxxx.mydomain.test.local: domain of transitioning
     email@notmydomain.com discourages use of {MY IP OF LOADBALANCER} as permitted sender)

    Should i add LB IP to SPF record - ant this is the correct way to configure real production environments? 
    OR how can i configure KEMP to show real address of my exchange server for my external domain?

    If i use method with KEMP IP to DNS record of SPF, can i later use DMARC with this configuration?

    Thursday, August 30, 2018 4:20 PM

All replies

  • You shouldn't mark email messages as spam based only on spf check result (and antispam systems don't do it). Therefore use only softfail policy.

    You need to implement DKIM firstly and after that implement DMARC. DMARC will fail only when both SPF and DKIM checks fails. 

    So you shouldn't worry about spf fail when dkim is ok.

    Don't add local ip address to spf!

    Thursday, August 30, 2018 8:16 PM
  • sorry, i don't get your question.

    How does your mail flow currently look like?

    Public MX Records Pointing direct to your exchange server?

    Exchange Servers sending through MTA or directly through DNS Lookups?

    Do you have configured internal Send connectors for your lab domain (on production server) and vice versa for your production domain on your lab server?

    As Egor Vasilev already said: "Don't add local ip address to spf". In your SPF Record you have to put systems that are authorized to send mails for that domain where you put in the SPF Record.

    If the entered MX Records are the only systems that sends mails your spf record would look like this (bind format):

    mydomain.com.  IN TXT "v=spf1 mx -all"

    (or for soft fail '~all' instead of the strict fail '-all')

    if you have more sending mail systems you can add it by ip for example like this

    mydomain.com.  IN TXT "v=spf1 mx ipv4:1.2.3.4 -all"


    Please remember to mark the replies as answers if they helped.

    Thursday, August 30, 2018 8:36 PM
  • You shouldn't mark email messages as spam based only on spf check result (and antispam systems don't do it). Therefore use only softfail policy.

    You need to implement DKIM firstly and after that implement DMARC. DMARC will fail only when both SPF and DKIM checks fails. 

    So you shouldn't worry about spf fail when dkim is ok.

    Don't add local ip address to spf!

    Very few orgs are checking DKIM and DMARC compared to just SPF. SPF is much more important to be correct. 
    Thursday, August 30, 2018 8:49 PM

  • Very few orgs are checking DKIM and DMARC compared to just SPF. SPF is much more important to be correct. 

    SPF protocol doesn't require to block messages if spf=fail. Therefore there is recommendation in RFC to always use softfail policy and let your antispam service to make a final desision to block message or no. This is because there are a lot of messages from trusted sources but with spf=fail.

    Let's return to topicstarter's problem. I thought he has a problem with spf=fail only with mail transport between two domains (aka prod and test) but in other cases everything is fine with spf (e.g. to send mail from prod to gmail.com or any other public domains). So he can leave this situation as is without any actions



    Friday, August 31, 2018 5:57 AM
  • Hi, i got connector on production env to my test server. Also i got send connector to on test exchange to production machine. Its goes via firewall. No routing via the internet.
    And that is no problem for me. 

    I got this IPs:
    exchange 1st test server - 192.168.11.48 (no external IP)
    exchange 2nd test server - 192.168.11.191 (no external IP)
    Kemp loadbalancer 1st IP - 192.168.11.192
    Kemp LB 2nd IP - 192.168.11.194

    Also in DNS:
    mx1 - 10 name of 1st server
    mx2 - 10 name of second

    i got external domain, who can check DNS of my test server and its pointed to local ip addresses of KEMP:
    MX [20], 192.168.11.194
    MX [10], 192.168.11.192
    My test domain uses got manually edited address of user to this external domain. This means that real default addres is admin@internaldomain.com (for example) and this has been changed to admin@externaldomain.com.

    In SPF of test domain i got:
    v=spf1 mx a ip4:192.168.11.191/32 ip4:192.168.11.48/32 ip4:192.168.11.192/32 ip4:192.168.11.194/32 -all

    And in spf of external domain there is:
    TXT v=spf1 mx a ip4:192.168.11.191/32 ip4:192.168.11.48/32 -all

    Now when i send email from production server to admin@externaldomain.com i see in log:

    Received-SPF: SoftFail (servernameoftestenv.test.local: domain of transitioning
     productionaddress@productiondomain.com discourages use of 192.168.11.194 as permitted sender)


    I saw KEMP manuals to make transparency but i do not really fully understand it and when i try to configure as it is described i do not receive mails from production mail.
    What can i do here?

    Friday, August 31, 2018 7:50 AM
  • Throw away local ip addresses from spf records.

    You don't need to care about spf inside local network, simply add internal host's ip addresses/subnets as trusted hosts (white list) on both infrastructures (prod and test)


    Friday, August 31, 2018 8:31 AM
  • What You mean - whitelist?
    Friday, August 31, 2018 8:37 AM
  • What You mean - whitelist?
    I don't know what antispam solutions do you use at prod and test environments. Maybe you need to add LB or test servers ip addresses to scope of exchange receive connector on prod
    Friday, August 31, 2018 8:43 AM