0

I'm setting up a SPF record on our domain and I'm not sure what SPF record I should be using.

We have Exchange 2013 set to send out using our e-mail filtering company as a Smart Host, and their host is the latest host that appears in the header of an e-mail, but also mentioned in the header is our own server - what should our SPF record look like?

I sent an e-mail from our company to my personal iCloud account and here are the headers:

Received:from mr28p00im-smtpin034.me.com ([17.110.71.33]) by ms02592.mac.com (Oracle Communications Messaging Server 7.0.5.36.0 64bit (built Sep 8 2015)) with ESMTP id <0OBA00LMZJH4O270@ms02592.mac.com> for personal_mail@me.com; Tue, 02 Aug 2016 16:36:41 +0000 (GMT)

Original-recipient:rfc822;personal_mail@me.com

Received:from smtp001.apm-internet.net (smtp001-out.apm-internet.net [85.119.248.222]) by mr28p00im-smtpin034.me.com (Oracle Communications Messaging Server 7.0.5.38.0 64bit (built Feb 26 2016)) with ESMTPS id <0OBA0063WJH1OK10@mr28p00im-smtpin034.me.com> for personal_mail@me.com (ORCPT personal_mail@me.com); Tue, 02 Aug 2016 16:36:40 +0000 (GMT)Authentication-results:mr28p00im-smtpin038.me.com; spf=none (mr28p00im-smtpin038.me.com: work_email@company.com does not designate permitted sender hosts) smtp.mailfrom=work_email@company.com;

Received-SPF:none (mr28p00im-smtpin038.me.com: work_email@company.com does not designate permitted sender hosts) receiver=mr28p00im-smtpin038.me.com; client-ip=85.119.248.222; helo=smtp001.apm-internet.net; envelope-from=work_email@company.com;

Received:(qmail 98779 invoked from network); 2 Aug 2016 16:36:36 -0000

Received:from unknown (HELO mail.company.com) (185.75.105.226) by smtp001.apm-internet.net with SMTP; 2 Aug 2016 16:36:36 -0000

Received:from Exchange.company.local (192.168.100.34) by Exchange.company.local (192.168.100.34) with Microsoft SMTP Server (TLS) id 15.0.847.32; Tue, 2 Aug 2016 17:36:33 +0100

Received:from Exchange.company.local ([fe80::2525:838f:2ff6:72]) by Exchange.company.local ([fe80::2525:838f:2ff6:72%12]) with mapi id 15.00.0847.030; Tue, 2 Aug 2016 17:36:33 +0100
user598200
  • 115
  • 3

3 Answers3

1

If your e-mail filtering company is the only way how email is sent from your Exchange server to external recipients, i.e. your server never sends directly, then the SPF record should only mention the filtering company.

An SPF record in the simplest case is used by a destination as a means to validate "what server(s) is allowed to contact me directly and send email purporting to come from a given domain", the fact it may have traversed a few hops beforehand doesn't matter.

bodgit
  • 4,751
  • 16
  • 27
  • Yes, we're currently sending all e-mail via Exchange which in turn uses the Smart Host. Thank you for explaining that we only need to add the Smart Host. In future we are going to switch to sending e-mail directly, at that point do we use `mail.company.com` or `Exchange.company.local` in the SPF? – user598200 Aug 02 '16 at 17:56
  • If the filtering company are listed as the MX records you can just use something like `v=spf1 mx -all` which says any host listed in an MX record is also allowed to send, so if/when you make the Exchange server send (and I assume receive) directly by updating the MX records you shouldn't need to touch the SPF record. – bodgit Aug 02 '16 at 19:12
  • Our MX records are `a.mx.apm-internet.net.` and `b.mx.apm-internet.net.`. The mail headers appear as `smtp001.apm-internet.net` so will `v=spf1 mx -all` still work? – user598200 Aug 02 '16 at 20:26
  • It's ultimately based on IP addresses rather than hostnames, if incoming and outgoing servers have different IP addresses then that wouldn't work. If your filtering company maintain their own SPF record then you *could* do something like `v=spf1 include:apm-internet.net -all`. The SPF spec is here: http://www.openspf.org/SPF_Record_Syntax – bodgit Aug 02 '16 at 20:50
0

something like: company.com. IN TXT "v=spf1 a:smtp001.apm-internet.net"

cormpadre
  • 414
  • 2
  • 6
0

Smarthost smtp001.apm-internet.net probably rotate IP's and you should ask your provider to give you IP range they use on their smarthost server. Without it, you can't crete "perfect" spf.

What should work is

company.com. in TXT "v=spf1 mx a:smtp001.apm-internet.net/24 ~all"
RonanW.
  • 429
  • 2
  • 7