Setting up SPF record for on premise and hybrid domain setup

  • Article

In this article, lets have a look at setting up SPF record for Exchange on premise setup and Exchange hybrid setup

Why SPF ?

Nowadays email domains over the internet can be easily forged in many ways. The current standard protocols used for the email systems does not play an important role in restricting and controlling the reverse path of the emails , domains that are sent through SMTP transits.

Sender Policy Framework (SPF) is a simple email validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchange to check that incoming mail from a domain is being sent from a host authorized by that domain’s administrators.

By using this SPF record we are authorizing the hosts to our domain and letting everyone know that we will be sending only through these hosts. By doing this the receiver will check the hosts that are sent from our domain and if they find any non registered hosts they will drop the emails.

This will finally reduce the spamming and blacklisting of our domains.By doing this we can block other entities using our domain names, often with malicious intent to blacklist our domain. But the whole spamming can’t be blocked.

SPF records may define zero or more mechanisms. Mechanisms can be used to describe the set of hosts which are designated as authorized, outbound mailers for the domain. The following list are common mechanisms included in an SPF record:

all | ip4 | ip6 | a | mx | ptr | exists | include

I don’t want to provide detailed explanation on SPF  since there are more number of  articles related to the same in the web written by so many experts.

Lets see how to setup SPF record for an on-premise setup :

First choose any one of the below  mechanisms to create the SPF
all,ip4,ip6,a,mx,ptr,exists,include

Below is an mechanism with soft-fail

v=spf1 ip4:10.10.10.1/16 (CIDR) mx ptr:Sender1.domain.com include:domain.com ~all

Benefits of using all

If the sender domain has an SPF record and have list of IP’s added then it allows only those emails from these IP’s for the domains who has SPF configured and rejects the ips which are not added in this list.

If you don’t have SPF configured the target who receives the email  has SPF configured will check your domain .If you don’t have SPF record configured then it will mark them as soft fail and move these emails to junk folder.

Imp note during creating SPF with (all) mechanism :

Make sure that you add all the required Ip ranges, domain names in the SPF permitted set.

Make sure that you create a TXT record as well as an SPF record since some mail servers won’t support only the SPF record.

How do i handle SPF records during office365 hybrid migration :

If you are doing a full cut over migration from on-premise to office365 then you no need to worry about this setup. Because once you are migrated completely to office 365 Microsoft will automatically create SPF for your domain.

Reason not to add:

You need to add all your existing public IP’s of your email system and also office 365 SPF’s .
So its better you can wait till the migration completes.

If you already have SPF records for your on-premise setup and you are in the phase of office365 migration, then don’t delete existing record but just add Office 365 record to your Public DNS.

How do i find the office 365 SPF record ?

use the below one

v=spf1 include:Spf.protection.outlook.com ~all

Below is an example of adding the office 365 SPF along with onprem in your public DNS server

v=spf1 ip4:10.10.10.1/16  mx ptr:Sender.domain.com include:spf.protection.outlook.com ~all

If you still like to  have a custom DNS records to route traffic to services from other  providers after the office 365 migration, then create an SPF record for them and respective address in the custom DNS records in Office 365 portal

https://exchangequery.files.wordpress.com/2015/07/test11.png?w=600
In addition to this its better to create a PTR record for the IP address that is sending the mail in Public DNS.

How to check the SPF record of your domain

Below is an example to check them through NSlookup for Microsoft domain

https://exchangequery.files.wordpress.com/2015/07/capture22.png?w=600&h=300

 

SPF implementations will limit the number of mechanisms and modifiers to a value of 10 per SPF check, including any lookups caused by the use of the “include” mechanism or the “redirect” modifier. If this number is exceeded during a check, a PermError MUST be returned.
So consider having a value of 10 DNS lookups per SPF

Summary:

An SPF record won’t do anything to prevent a spam attack.  It helps prove that the mail your users send is coming from a trusted source and won’t be marked as spam.