Hello All.............I have following questionwith respect to Exchange 2010 Mail Flow:

Often servers do not allow SMTP connection if sending SMTP Server does not have the SPF Record. Currently, I do not have any SPF Record defined in my external domain.  So, my question is that how can we create SPF Record in the external domain?  What is the syntax and what should be present in the server?  would it cause any undesirable affects?

I don't agree with your statement "Often servers do not allow SMTP connection if sending SMTP Server does not have the SPF Record."

SPF records are not very common - they are not in widespread use enough for sites to use it as a hard fail method. If they were, then they would drop a lot of email. The most you can use SPF records for is scoring as part of a spam filtering system. However if you get the SPF record wrong, then you can find email delivery issues, as sites will often presume that the record is correct if you have gone to the trouble of creating one. Therefore if you aren't 100% sure it is correct, then you shouldn't use one.

The SPF project has all the information that you need for SPF record creation.

http://www.openspf.org/

There are many wizards on the internet that will create the text required for the entry - just put spf wizard in to your favourite search engine.

The record is created on your external DNS provider - most of whom will have a format for you already to populate the information.

Simon.

Thanks for the reply.

I used Microsoft Wizard and it gave me following at the end:

v=spf1 mx mx:mail.domain.com ip4:1.1.1.1 ~all

does this look normal?

is it ok?

Hi,

Yes, it looks normal. But most of them has -all or ?all at the end.

Also note you need to have reverse DNS entries for making the domain valid in some cases.

Most of the time the receiving server record matches the sender hence you have the valid mx record for use.

Some sample records.

v=spf1 mx ptr mx:mail.contoso.com mx:mail2.contoso.com mx:mail3.contoso.com all

v=spf1 mx ptr mx:mail.contoso.com ip:182.15.22.3 ? all

v=spf1 include:_spf-a.microsoft.com include:_spf-b.microsoft.com include:_spf-c.microsoft.com include:_spf-ssg-a.microsoft.com include:spf-a.hotmail.com ip4:147.243.128.24 ip4:147.243.128.26 ip4:147.243.1.153 ip4:147.243.1.47 ip4:147.243.1.48 -all
v=spf1 include:spf-a.outlook.com include:spf-b.outlook.com ip4:157.55.9.128/25 include:spf.protection.outlook.com include:spf-a.hotmail.com include:_spf-ssg-b.microsoft.com include:_spf-ssg-c.microsoft.com ~all

SPF Record Syntax

http://www.openspf.org/SPF_Record_Syntax

Authenticating with SPF: -all or ~all

https://wordtothewise.com/2014/06/authenticating-sp

Thanks for the reply.

I changed a bit and following was provided at the end of wizard:

v=spf1 mx ptr mx:mail.domain.com ip4:1.1.1.1 ~all

is this fine?

I am seeing some results for domains which have defined the record very differently like:

Microsoft

"v=spf1 include:_spf-a.microsoft.com include:_spf-b.microsoft.com include:_spf-c.microsoft.com include:_spf-ssg-a.microsoft.com include:spf-a.hotmail.com ip4:147.243.128.24 ip4:147.243.128.26 ip4:147.243.1.153 ip4:147.243.1.47 ip4:147.243.1.48 -all"

"FbUF6DbkE+Aw1/wi9xgDi8KVrIIZus5v8L6tbIQZkGrQ/rVQKJi8CjQbBtWtE64ey4NJJwj5J65PIggVYNabdQ=="

Yahoo

"v=spf1 redirect=_spf.mail.yahoo.com"

ABC

"MS=ms74524569"

"v=spf1 ip4:1.1.1.1 ip4:2.2.2.26 include:spf.protection.outlook.com ~all"

Can you elaborate a little on the difference.  Thanks.

Hi,

We had already shared the articles explaining the details.

Thanks for the reply.

But, can you confirm if my wizard resulted in the correct format and syntax.  It is different from the one I shared before.

Yes, its correct.

Thanks appreciate it.

Had to change it again because was required to add PTR for another service.  So, after rerunning the wizard, the Wizard comes back with this:

v=spf1 mx ip4:1.1.1.1 mx:mail.domain.com -all