DNS spf record for Microsoft
The spf record for Microsoft has a “ ~ALL “. What does this do and how do we make use of the same for our domain names?
NSLOOKUP Output for Microsoft.com:
> server 4.2.2.1
Default Server: vnsc-pri.sys.gtei.net
Address: 4.2.2.1
> set type=ANY
> microsoft.com
Server: vnsc-pri.sys.gtei.net
Address: 4.2.2.1
Non-authoritative answer:
microsoft.com text =
"v=spf1 mx include:_spf-a.microsoft.com include:_spf-b.microsoft.com inc
lude:_spf-c.microsoft.com include:_spf-ssg-a.microsoft.com ~all"
microsoft.com
primary name server = dns.cp.msft.net
responsible mail addr = msnhst.microsoft.com
serial = 2007053102
refresh = 300 (5 mins)
retry = 600 (10 mins)
expire = 2419200 (28 days)
default TTL = 3600 (1 hour)
microsoft.com MX preference = 10, mail exchanger = maila.microsoft.com
microsoft.com MX preference = 10, mail exchanger = mailb.microsoft.com
microsoft.com MX preference = 10, mail exchanger = mailc.microsoft.com
microsoft.com internet address = 207.46.232.182
microsoft.com internet address = 207.46.197.32
microsoft.com nameserver = ns4.msft.net
microsoft.com nameserver = ns5.msft.net
microsoft.com nameserver = ns1.msft.net
microsoft.com nameserver = ns2.msft.net
microsoft.com nameserver = ns3.msft.net
==
Thanks,
Mechanisms are prefixed with qualifiers:
"+" Pass
"-" Fail
"~" SoftFail
"?" Neutral
Mechanisms are evaluated in order and when no matche, the default will be "Neutral".
If there is no SPF for a domain, the result is "None". If a domain has a temp error during DNS processing, you get the result "TempError" (called "error" in earlier drafts). If some kind of syntax or evaluation error occurs (eg. the domain specifies an unrecognized
mechanism) the result is "PermError" (formerly "unknown").
Evaluation of an SPF record can return any of these results:
Pass -The SPF record designates the host to be allowed to send accept
Fail -The SPF record has designated the host as NOT being allowed to send reject
SoftFail - The SPF record has designated the host as NOT being allowed to send but is in transition accept but mark
Neutral - The SPF record specifies explicitly that nothing can be said about validity accept
None - The domain does not have an SPF record or the SPF record does not evaluate to a result accept
PermError - A permanent error has occured (eg. badly formatted SPF record) unspecified
TempError - A transient error has occured accept or reject
Marcus @ www.wormy.com
Similar Messages
-
Trying to configure BIND in Snow Leopard Server so I can migrate current DNS to an XServe. My goal is to be able to use Server Admin for as much as possible, but I know this won't be entirely possible in my setup (wildcards, bizarre reverse delegation limit my options here). I've used generic names here on purpose, but yes, I do know what I am doing.
Currently, I'm trying to create an A record for a domain so that I users will hit my website whether they enter domain.com or www.domain.com. I have the following entry to my domain in SA:
+domain.com. Machine 1.2.3.4+
I verified that this entry was correct in the zone file itself. Indeed, I found the following entry in the appropriate zone file:
+domain.com. IN A 1.2.3.4+
However, when I attempt to query the server using dig, I do not get an answer:
dig a domain.com @server.domain.com
; <<>> DiG 9.6.0-APPLE-P2 <<>> a domain.com @server.domain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16570
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;domain.com. IN A
;; AUTHORITY SECTION:
domain.com. 10800 IN SOA server.domain.com. admin.domain.com. 2010070702 86400 3600 604800 345600
;; Query time: 10 msec
;; SERVER: 1.2.3.4#53(1.2.3.4)
;; WHEN: Fri Jul 9 06:02:13 2010
;; MSG SIZE rcvd: 95
What am I missing here?Be aware that this is not a production server yet, and I acknowledge that this isn't fully kosher yet. I am just testing the config to see if it will work.
Server is 206.123.100.18. Zone is a3dtech.com. Zone file:
;GUID=4EAE5E10-15F4-457B-8CAC-D9702FB1E186
;selfResolvingHostname=0
$TTL 10800
a3dtech.com. IN SOA ns1.a3dauto.com. admin.a3dauto.com. (
2010070901 ;Serial
86400 ;Refresh
3600 ;Retry
604800 ;Expire
345600 ;Negative caching TTL
a3dtech.com. IN NS ns1.a3dauto.com.
a3dtech.com. IN NS ns2.a3dauto.com.
* IN A 206.123.100.18
a3dtech.com. IN A 206.123.100.18
mail IN CNAME mail.a3dauto.com.
svn IN CNAME daniel.a3dauto.com.
a3dtech.com. IN MX 10 mail.a3dauto.com. -
Added v=spf1 include:spf.protection.outlook.com -all and the txt token for the Exchange 2013 hybrid configuration, now some mails bounced back with the error "SPF Unauthorized mail is prohibited". What could be the cause? Should I customized
the SPF record but it is not mentioned in the procedures for Hybrid configuration to do that.Hi,
Would you like to mark Ed's reply as an answer so that others can find the solution easily.
Have a nice day : )
Thanks
Mavis
Mavis Huang
TechNet Community Support -
Creating a DNS Record for a Host with Two or More IP???
Can we create DNS A Record for a Host with Two or More IP ... ( we like to use my website "mysite.com" pointing to two Ips )
Please help...Sure, no worries.
In a production environment DNS will query always the first record it will stores in cache, you need to find a dynamic or NLB way to achieve the automatic fail over else when you will have an outage with the first IP, then you need to ask your clients to
clear the cache and register to DNS again, this i will not suggest in a production environment, lots of manual efforts and doesnt sound like a solution in a production environment, i would suggest you to explore windows NLB, it's easy to set and use the OS
license.
Thanks
Inderjit -
DNS SPF settings to reduce backscatter to catchall...
I use the mail.btinternet.com outbound server to send messages from [email protected]
Spammers are sending messages, spoofing the from address as [email protected]
These spam messages bounce back to my catchall account as undeliverable.
I want to set a SPF type DNS record to help mail servers distinguish between genuine mail from me and spoofed mail from spammers.
Can anyone advise what that SPF record should contain, to allow mail.btinternet.com and exclude others?
Many thanks for any help,
Nigel.Thank you. But do I actually need such a record? I'm hoping I can modify the SPF record for mydomain.co.uk to include permission to use the btmail server, which is something like ...cpcloud.co.uk.
Nigel. -
Dear all,
We have SPF record for our outgoing mail server. The problem is when a user sends test mail from blackberry handset to his own company id, mails are going to Junk folder.
I checked the Internet message header in owa. it is showing following message.
X-MS-Exchange-Organization-Antispam-Report: DV:3.3.5705.600;SID:SenderIDStatus SoftFail;OrigIP:178.239.85.10
X-MS-Exchange-Organization-SCL: 6
smtp05.bis7.eu.blackberry.com (178.239.85.10)
do I need to add something to our spf record?
Please help
AnishHi Anish,
According to the error message, it seems the IP is outside the IP range that is defined in the SPF record. It is soft fail, your Exchange server accept the message and mark it as a Junk email.
You can try to add the 178.239.85.10 ip into the SPF record for testing.
I suggest use http://mxtoolbox.com/blacklists.aspx to check whether the 178.239.85.10 ip in the blacklist and whether the ip is security.
Disclaimer:
Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure
that you completely understand the risk before retrieving any suggestions from the above link.
Thanks
Mavis
Mavis Huang
TechNet Community Support -
SRV Record for TC Software(SX20,C20)
Hi all,
We tested DNS SRV record for two VCS-Cs that are not clustered.
MCU works fine with those SRV records, but C20, SX20 do not work.
Can't TC endpoints receive SRV records?
VCS:X8.2.1
MCU5300:4.5(1.45)
C20,SX20:TC7.2.0
Best Regards,
KotaroHi Patrick,
Sorry for the late reply.
I mentioned "MCU works fine with those SRV records, " but actually it didn't work.
The MCU just received two GKs IP addresses as Alternative Gatekeeper.
Now we use records below.
We configure "vcs1.test.local" as an SX20's Gatekeeper.
But when "vcs1.test.local" fails, the SX20 never register with "vcs2.test.local".
=====DNS Records=====
vcs1.test.local(A) and its Pointer record.
vcs2.test.local(A) and its Pointer record.
_h323cs._tcp.test.local
priority=1
weight=0
port=1720
svr hostname=vcs1.test.local
_h323cs._tcp.test.local
priority=10
weight=0
port=1720
svr hostname=vcs2.test.local
_h323ls._udp.test.local
priority=1
weight=0
port=1719
svr hostname=vcs1.test.local
_h323ls._udp.test.local
priority=10
weight=0
port=1719
svr hostname=vcs2.test.local
_h323rs._udp.test.local
priority=1
weight=0
port=1719
svr hostname=vcs1.test.local
_h323rs._udp.test.local
priority=10
weight=0
port=1719
svr hostname=vcs2.test.local
Best Regards,
Kotaro -
Does anyone know about this? If so is this separate from the MX record? IS it really needed? Opinions please...
The SPF record and the MX record are two different things.
You can get some background concerning SPF records at:
http://www.openspf.org/Introduction
It is a good idea to publish a SPF record; however, (in my opinion) I would set the SPF record so that it will SoftFail ("~all").
Whether to have SpamAssassin evaluate SPF records (by installing the SPF perl module, see the instructions here: http://discussions.apple.com/thread.jspa?messageID=3813471 ) as a method to filter spam is another issue. Pterobyte did a stellar job of evaluating whether or not to do so. You can read his posts concerning this issue here (his conclusion, and I agree, is not to bother):
http://discussions.apple.com/thread.jspa?messageID=3800656
This matter is "kind" of like one of those liberal vs. conservative political issues that many folks have an opinion about, but I'll try and give you my experience with this. Back in January I set SpamAssassin to evaluate SPF records for the purpose of filtering for spam. I eventually removed the filtering for the reasons Pterobyte outlined and the reasons below:
(1) Most Domains SoftFail.
From what I can tell most domains that I was seeing coming through either had no SPF record or had a record that ended in ~a (SoftFail). Given this fact, SpamAssassin wasn't able to make heads-or-tails of most SPF records for spam filtering purposes.
As a side note, SPF seemed hard to implement when a company had several mobile users. So, I got the impression that many companies would just set their SPF to softfail for that reason.
(2) Spammers Can Publish an SPF Record
A spammer can post an SPF record, so SpamAssassin doesn't give a SPF_Pass much weight.
(3) The Rare Exception
The only time I could really see that SPF record evaluation was going to make a solid impact was with domains that had SPF records ending in -a, and the only time that it was going to make a difference was when a spammer was spoofing a domain with a record ending in -a.
I only did this for a few days mind you ... but I just wasn't seeing any spam that met that condition that wouldn't have been caught anyway.
I felt like the load on my server's resources was a bit much given the limited impact the checks were having. -
While running dcdiag /test:dns getting Warning: The AAAA record for this DC was not found
DCDIAG /test:dns result is pested here.
C:\Users\administrator.SUD>dcdiag /test:dns
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = MUM-ADS-01
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\MUM-ADS-01
Starting test: Connectivity
......................... MUM-ADS-01 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\MUM-ADS-01
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
......................... MUM-ADS-01 passed test DNS
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : sud
Running enterprise tests on : sud.in
Starting test: DNS
Test results for domain controllers:
DC: MUM-ADS-01.sud.in
Domain: sud.in
TEST: Basic (Basc)
Warning: The AAAA record for this DC was not found
TEST: Forwarders/Root hints (Forw)
Error: Root hints list has invalid root hint server:
a.root-servers.net. (198.41.0.4)
Error: Root hints list has invalid root hint server:
b.root-servers.net. (128.9.0.107)
Error: Root hints list has invalid root hint server:
c.root-servers.net. (192.33.4.12)
Error: Root hints list has invalid root hint server:
d.root-servers.net. (128.8.10.90)
Error: Root hints list has invalid root hint server:
e.root-servers.net. (192.203.230.10)
Error: Root hints list has invalid root hint server:
f.root-servers.net. (192.5.5.241)
Error: Root hints list has invalid root hint server:
g.root-servers.net. (192.112.36.4)
Error: Root hints list has invalid root hint server:
h.root-servers.net. (128.63.2.53)
Error: Root hints list has invalid root hint server:
i.root-servers.net. (192.36.148.17)
Error: Root hints list has invalid root hint server:
j.root-servers.net. (192.58.128.30)
Error: Root hints list has invalid root hint server:
k.root-servers.net. (193.0.14.129)
Error: Root hints list has invalid root hint server:
l.root-servers.net. (198.32.64.12)
Error: Root hints list has invalid root hint server:
m.root-servers.net. (202.12.27.33)
TEST: Delegations (Del)
Error: DNS server: sud-ad.sud.in. IP:<Unavailable>
[Missing glue A record]
TEST: Records registration (RReg)
Network Adapter
[00000006] Intel(R) PRO/1000 MT Network Connection:
Warning:
Missing AAAA record at DNS server 10.1.6.132:
MUM-ADS-01.sud.in
Warning:
Missing AAAA record at DNS server 10.1.6.132:
gc._msdcs.sud.in
Warning:
Missing AAAA record at DNS server 10.1.6.133:
MUM-ADS-01.sud.in
Warning:
Missing AAAA record at DNS server 10.1.6.133:
gc._msdcs.sud.in
Warning: Record Registrations not found in some network adapters
Summary of test results for DNS servers used by the above domain
controllers:
DNS server: 128.63.2.53 (h.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 128.63.2.53
DNS server: 128.8.10.90 (d.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 128.8.10.90
DNS server: 128.9.0.107 (b.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 128.9.0.107
DNS server: 192.112.36.4 (g.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.112.36.4
DNS server: 192.203.230.10 (e.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.203.230.10
DNS server: 192.33.4.12 (c.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.33.4.12
DNS server: 192.36.148.17 (i.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.36.148.17
DNS server: 192.5.5.241 (f.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.5.5.241
DNS server: 192.58.128.30 (j.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.58.128.30
DNS server: 193.0.14.129 (k.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 193.0.14.129
DNS server: 198.32.64.12 (l.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 198.32.64.12
DNS server: 198.41.0.4 (a.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 198.41.0.4
DNS server: 202.12.27.33 (m.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 202.12.27.33
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
Domain: sud.in
MUM-ADS-01 PASS WARN FAIL FAIL PASS WARN n/a
......................... sud.in failed test DNSHi Meinolf,
Please find the IP Details as well as DNS test results.
C:\Users\Administrator.SCI>dcdiag /test:dns
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = MDCDCDNS
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: MDC-Powai\MDCDCDNS
Starting test: Connectivity
......................... MDCDCDNS passed test Connectivity
Doing primary tests
Testing server: MDC-Powai\MDCDCDNS
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
ERROR: NO DNS servers for IPV6 stack was found
......................... MDCDCDNS passed test DNS
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : sci
Running enterprise tests on : sci.com
Starting test: DNS
Test results for domain controllers:
DC: MDCDCDNS.sci.com
Domain: sci.com
TEST: Basic (Basc)
Warning: The AAAA record for this DC was not found
TEST: Records registration (RReg)
Network Adapter
[00000009] Microsoft Virtual Network Switch Adapter:
Warning:
Missing AAAA record at DNS server 10.64.7.32:
MDCDCDNS.sci.com
Warning:
Missing AAAA record at DNS server 10.64.7.32:
gc._msdcs.sci.com
Warning:
Missing AAAA record at DNS server 10.64.7.35:
MDCDCDNS.sci.com
Warning:
Missing AAAA record at DNS server 10.64.7.35:
gc._msdcs.sci.com
Warning:
Missing AAAA record at DNS server 10.20.33.72:
MDCDCDNS.sci.com
Warning:
Missing AAAA record at DNS server 10.20.33.72:
gc._msdcs.sci.com
Warning:
Missing AAAA record at DNS server 10.20.33.71:
MDCDCDNS.sci.com
Warning:
Missing AAAA record at DNS server 10.20.33.71:
gc._msdcs.sci.com
Warning: Record Registrations not found in some network adapters
MDCDCDNS PASS WARN PASS PASS PASS WARN n/a
......................... sci.com passed test DNS
C:\Users\Administrator.SCI>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : MDCDCDNS
Primary Dns Suffix . . . . . . . : sci.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : sci.com
Ethernet adapter Local Area Connection 7:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : External Internal Virtual Network
Physical Address. . . . . . . . . : 00-14-4F-CA-83-AC
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.64.7.32(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.64.7.1
DNS Servers . . . . . . . . . . . : 10.64.7.32
10.64.7.35
10.20.33.72
10.20.33.71
NetBIOS over Tcpip. . . . . . . . : Disabled
Ethernet adapter Local Area Connection 6:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TEAM : Team #1
Physical Address. . . . . . . . . : 00-14-4F-CA-83-AC
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Autoconfiguration IPv4 Address. . : 169.254.105.163(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter Local Area Connection* 8:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{2D5A4A27-298F-48E5-A376-EA886EF1E
42A}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 9:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{14FA7CD4-8B69-4C86-A58B-056793B7D
901}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Please check and revert back for any queries..
Thanks...
Deva Self-trust is the first secret of success. -
#554 5.4.4 SMTPSEND.DNS.MxLoopback; DNS records for this domain are configured in a loop ##
Hi,
This is my first post here.
My exchange server of late is facing a peculiar problem. I get the error message that I have posted below when sending mails to any outside domain. However when I restart the server the mails can be resend to the address without any issue. After a certain
time again the issue pops up upon which I am forced to restart the server again. I am running 2007 Exchange on Windows 2003.
Generating server: name.mydomain.com
[email protected]
#554 5.4.4 SMTPSEND.DNS.MxLoopback; DNS records for this domain are configured in a loop ##
[email protected]
#554 5.4.4 SMTPSEND.DNS.MxLoopback; DNS records for this domain are configured in a loop ##
Original message headers:
Received: from name.mydomain.com ([1xx.xxx.xxx.xx5]) by MHDMAILS.mouwasat.com
([1xx.xxx.xxx.xx5]) with mapi; Wed, 19 Oct 2011 08:56:29 +0300
From: <[email protected]>
To: <[email protected]>
CC: "Al Alami,Tareq" <[email protected]>
Date: Wed, 19 Oct 2011 08:56:27 +0300
Subject: RE:
Thread-Topic:
Thread-Index: AcyAQ5tu8z9CvBfdT5+1pcGQkk6x0AIuwczAAAGZjeABQyW5sAADeeJQAAETNDA=
Message-ID: <[email protected]>
References: <[email protected]com>
<[email protected]com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/related;
boundary="_004_EEC8FA6B3B286A4E90D709FECDF51AA06C0588CA11namedomain_";
type="multipart/alternative"
MIME-Version: 1.0On Sun, 23 Oct 2011 15:05:15 +0000, Jobin Jacob wrote:
>
>
>Even af
>
>ter removing my domain from the send connector I continue to receive the error. I would like to say I do have a firewall, Cyberoam. However, it was the same configuration till now in the firewall. I did try Mx lookup and found the following.
>
>Could there be any other solution to this issue ?
Sure, but it's necessary to ask a lot of questions since none of us
know how your organization is set up.
I see you also have "Use the External DNS Lookup settings on the
transport server" box checked. How have you configured the "External
DNS Lookups" on the HT server's property page? Is there any good
reason why you aren't just using your internal DNS servers? If the
internal DNS servers are configured to resolve (or forward) queries
for "external" domains then there's no reason to use that checkbox. In
most cases checking that box is a mistake.
http://technet.microsoft.com/en-us/library/aa997166(EXCHG.80).aspx
The behavior you describe (it works for a while and then fails;
restarting the server returns it to a working state) sure sounds like
some sort of DNS problem.
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP -
Leopard DNS Server: Zones with SPF records?
Hi all,
I'm trying to figure out how to setup SPF (Sender Policy Framework) records for some domains I'm currently managing with a Leopard DNS server and I don't see any documentation anywhere. Can someone please tell me if it's even an option? I'm new to running DNS with Leopard, so I could use all the help I can get.
Sincerely,
Israel
Message was edited by: Israel Thompson
Message was edited by: Israel ThompsonIsrael Thompson wrote:
So let me see if I have this right. Any changes I want to make that will not be editable in the GUI, I want to do them in db.mydomain.com instead of db.mydomain.com.zone.apple? Easy enough. However I tried adding "v=spf1 a mx ~all" (with quotes) to my file and it appeared to have broken the dns zone. What’s the proper way to enter these in manually? Can you give me an example of how it looks in your zone files? I’ve pasted a sample of mine below. Tell me if anything is wrong.
Israel,
I am new to Leopard Server - so I'm no DNS guru. I, too, have not used a DNS setup tool that requires a FQDN just associate an IP with the base of the domain (mydomain.com.). How did you get your 'mydomain.com. IN A 11.22.33.44' accomplished? Did you create a new A record and put mydomain.com. in the Machine Name field?
Here's my setup:
========================
db.mydomain.com
========================
;THE FOLLOWING INCLUDE WAS ADDED BY SERVER ADMIN. PLEASE DO NOT REMOVE.
$INCLUDE /var/named/zones/db.mydomain.com.zone.apple
========================
db.mydomain.com.zone.apple
========================
$TTL 10800
mydomain.com. IN SOA ns1.mydomain.com. admin.mydomain.com. (
2008010951 ;Serial
7200 ;Refresh
3600 ;Retry
604800 ;Expire
345600 ;Negative caching TTL
mydomain.com. IN NS ns1.mydomain.com.
mydomain.com. IN NS ns.mydomain.com.
mydomain.com. IN A 64.251.168.218
mydomain.com. IN TXT "v=spf1 ip:64.251.168.218 ip:64.251.168.220 ~all"
www IN A 64.251.168.218
mail.mydomain.com. IN A 64.251.168.220
mail.mydomain.com. IN TXT "v=spf1 a ~all"
xserve.mydomain.com. IN A 64.251.168.218
xserve.mydomain.com. IN TXT "v=spf1 a ~all"
ns IN A 64.251.168.218
ns1 IN A 64.251.168.220
mydomain.com. IN MX 10 mail.mydomain.com.
... where xserve.mydomain.com is my machine's hostname.
I have a funky setup for DNS because I don't have a different, or second, DNS server (just the one on my Xserve with everything else) and my name servers are under this zone. I added the two IPs for my mail and hostname to the base SPF record. Someone could still spoof from using the name or www domains (same IPs) but I can check for it using Postfix up front. I also added "v=spf1 a ~all" in case another mail server tries to check the mailing server or hostname directly.
You'll usually want to set a TXT "v=spf1 ~all" (SPF null) for any records that have no possibility for mail origins, like your ftp and mobile, but it appears you also have a similar issue to me - those services will be running under the same IPs as the mail service. This is why I added "v=spf1 a ~all" to all essential services (mail and hostname). I don't know what will happen if you add an SPF null to an unnecessary service that happens to also have the same IP. (Will the IP get blocked in a cache during a lookup??) So I didn't add an SPF TXT to those domains. I'm a little confused at this point. I should probably read more about it.
http://www.openspf.org/FAQ/Common_mistakes
Also, you'll notice I added FQDN to mail and xserve. If I do this and ensure they are in my reverse DNS PTR records then I've seen that when I add new zone records with same IPs (like for another domain) then the PTR records don't keep switching to the newest entry (why does it do that?).
I don't think your use of the . in the CNAME records is correct. I think the CNAME records are probably unnecessary since you have already fully defined the domains in A records. Also, those A records probably don't need FQDNs (with the ending .). I only added mine for the reason noted above, concerning the PTR records.
I hope someone who knows some more than I can chime in on this.
Larry
Message was edited by: Larry_S (removed mx from SPF TXT for main domain record, as it was redundant with the ip:) -
The BC migration instructions here http://adobebcmigration.com/instructions say to add "v=spf1 mx include:worldsecuresystems.com ~all"
My existing SPF record as an Office 365 customer was:
"v=spf1 include:spf.protection.outlook.com -all"
I have changed it to:
"v=spf1 include:spf.protection.outlook.com include:worldsecuresystems.com -all" (note without MX)
What is the MX for in your instructions? Is it required? I don't want to break the Microsoft SPF record by adding it.
Also, I believe the ~ (tilde) is wrong and should be a hyphen?I'm eager to know this too... anyone have an answer? I hope this thread doesn't get lost in the fray.
-
Hello,
I am trying to send an email from IP: 64.32.183.2 to email: [email protected] and get this bounce back email.
Do any of you know what I need to create on the TXT record for the DNS? I've created an SPF record but still get an error message.
See the testconnectivity results below. Any help would be appreciated!
Performing Outbound SMTP Test
The outbound SMTP test failed.
Additional Details
Elapsed Time: 24104 ms.
Test Steps
Attempting reverse DNS lookup for IP address 64.32.183.2.
The Microsoft Connectivity Analyzer successfully resolved IP address 64.32.183.2 via reverse DNS lookup.
Additional Details
The Microsoft Connectivity Analyzer resolved IP address 64.32.183.2 to host smtp.wemanageproperties.com.
Elapsed Time: 86 ms.
Performing Real-Time Black Hole List (RBL) Test
Your IP address wasn't found on any of the block lists selected.
Additional Details
Elapsed Time: 23609 ms.
Test Steps
Checking Block List "SpamHaus Block List (SBL)"
The address isn't on the block list.
Additional Details
IP address 64.32.183.2 wasn't found on RBL.
Elapsed Time: 901 ms.
Checking Block List "SpamHaus Exploits Block List (XBL)"
The address isn't on the block list.
Additional Details
IP address 64.32.183.2 wasn't found on RBL.
Elapsed Time: 872 ms.
Checking Block List "SpamHaus Policy Block List (PBL)"
The address isn't on the block list.
Additional Details
IP address 64.32.183.2 wasn't found on RBL.
Elapsed Time: 1045 ms.
Checking Block List "SpamCop Block List"
The address isn't on the block list.
Additional Details
IP address 64.32.183.2 wasn't found on RBL.
Elapsed Time: 91 ms.
Checking Block List "NJABL.ORG Block List"
The address isn't on the block list.
Additional Details
IP address 64.32.183.2 wasn't found on RBL.
Elapsed Time: 8349 ms.
Checking Block List "SORBS Block List"
The address isn't on the block list.
Additional Details
IP address 64.32.183.2 wasn't found on RBL.
Elapsed Time: 3773 ms.
Checking Block List "MSRBL Combined Block List"
The address isn't on the block list.
Additional Details
IP address 64.32.183.2 wasn't found on RBL.
Elapsed Time: 241 ms.
Checking Block List "UCEPROTECT Level 1 Block List"
The address isn't on the block list.
Additional Details
IP address 64.32.183.2 wasn't found on RBL.
Elapsed Time: 71 ms.
Checking Block List "AHBL Block List"
The address isn't on the block list.
Additional Details
IP address 64.32.183.2 wasn't found on RBL.
Elapsed Time: 8262 ms.
Performing Sender ID validation.
Sender ID validation failed.
Additional Details
Elapsed Time: 407 ms.
Test Steps
Attempting to find the SPF record using a DNS TEXT record query.
The SPF record was found.
Additional Details
SPF record found: "v=spf1 a mxv=spf1 a mx a:corepoweryoga.com mx:exchange.corepoweryoga.com ip4:173.239.121.125 a mx ~all"
Elapsed Time: 87 ms.
Parsing the SPF record and evaluating mechanisms and modifiers.
SPF record evaluation resulted in a Sender ID failure.
Additional Details
Elapsed Time: 320 ms.
Test Steps
Evaluating A Record lookup mechanism: "+a"
Additional Details
The DNS A Record lookup for IP address 64.32.183.2 found no match for domain 'corepoweryoga.com'.
Elapsed Time: 2 ms.
Evaluating A Record lookup mechanism: "+a"
Additional Details
The DNS A Record lookup for IP address 64.32.183.2 found no match for domain 'corepoweryoga.com'.
Elapsed Time: 0 ms.
Evaluating MX mechanism: "+mx"
Additional Details
No MX records for domain corepoweryoga.com matched the specified IP address.
Elapsed Time: 123 ms.
Evaluating A Record lookup mechanism: "+a:corepoweryoga.com"
Additional Details
The DNS A Record lookup for IP address 64.32.183.2 found no match for domain 'corepoweryoga.com'.
Elapsed Time: 0 ms.
Evaluating MX mechanism: "+mx:exchange.corepoweryoga.com"
Additional Details
No MX records exist for exchange.corepoweryoga.com.
Elapsed Time: 84 ms.
Evaluating IP address mechanism: "+ip4:173.239.121.125"
Additional Details
IP address 64.32.183.2 didn't match entry 173.239.121.125.
Elapsed Time: 0 ms.
Evaluating A Record lookup mechanism: "+a"
Additional Details
The DNS A Record lookup for IP address 64.32.183.2 found no match for domain 'corepoweryoga.com'.
Elapsed Time: 0 ms.
Evaluating MX mechanism: "+mx"
Additional Details
No MX records for domain corepoweryoga.com matched the specified IP address.
Elapsed Time: 108 ms.
Evaluating All mechanism: "~all"
All mechanisms indicated a negative status.
Additional Details
Status: SoftFail
Elapsed Time: 0 ms.Another bounce back due to SPF Policy Error for another domain.
Diagnostic information for administrators:
Generating server: PMA-EXCAS01.wemanageproperties.com
[email protected]
barracuda.helmethouse.com #550 Rejecting for Sender Policy Framework ##
Original message headers:
Received: from pma-exmb01.wemanageproperties.com ([fe80::10ec:db0c:8782:d59d])
by pma-excas01.wemanageproperties.com ([fe80::7d06:c4ad:5136:3b0f%11]) with
mapi id 14.03.0123.003; Mon, 27 Oct 2014 09:03:53 -0700
From: Jodi Stancampiano <[email protected]>
To: "'[email protected]'" <[email protected]>
CC: Gabriela Ramirez <[email protected]>
Subject: Accelerated Invoices
Thread-Topic: Accelerated Invoices
Thread-Index: Ac/x/5U3XYbSLuU0RYa8t07SCk++9Q==
Date: Mon, 27 Oct 2014 16:03:43 +0000
Message-ID: <[email protected]rties.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.0.20.104]
Content-Type: multipart/mixed;
boundary="_009_ED01ED2222E4A943987C4EEA7623C5741D323D42pmaexmb01wemana_"
MIME-Version: 1.0 -
Having run a few tests on our Server, on of the errors that has come up is that we don't have any SPF records.
Doing a search sends me to the following site, but it always comes up with the error - System Maintenance in progress. Please try again later.
microsoft.com/mscorp/safety/content/technologies/senderid/wizard/
Having looked at some other sites, I come up with different answers.
Here is my example, our website is hosted by another company, but we run our own mail server. I have used the following examples
domain - mydomain.com
mail server ip - 1.2.3.4
One wizard come up with the following to add to my DNS
mydomain.com. IN TXT "v=spf1 ip4:1.2.3.4"
Another wizard comes up with the following
"v=spf1 ip4:1.2.3.4 ?all"
Another wizard comes up with the following
"v=spf1 ip4:1.2.3.4 -all"
Any advice appreciated.
TrevorHi
No ones mentioned this that I;ve seen. But the SPF settings get applied to the domain at Nameserver level, so not on the local server, but wherever is configured that
www.mydomain.com - goes to 10.20.30.40 and remote.mydomain.com goes to 1.2.3.4 and mail.mydomain.com go to 1.2.3.4 etc
On the name server you set up a new TXT for .mydomain.com
the values need to have
v=spf1 - to show this is the SPF settings
I would then add the IP's and Domains of any PC authorised to send emails on your behalf
i.e. +ip4:1.2.3.4 +a:mail.mydomain.com +a:remote.mydomain.com - This covers your server doing email directly from it... some SPF servers I've found look for the a record and not IP when tracing back (usually pain ones, so never hurts to add as resolves
to same place)
If your website hosted elsewhere has an email form on it you'll need to authorise your webserver to send on your behalf as it will most likely send from a @mydomain.com email address (your own server could class it as spam if not included)
so +ip4:x.x.x.x(webserver IP) +a:www.mydomain.com
As for the all bit
-all is best - means no one else can pretend to be you. I;ve not used ?all, but due to the experience I'm about to explain it could be useful (saves having to use ~all which makes spf pointless)
If you use -all SPF checkers will only allow emails to come from authorised senders. This leads to a problem with people they email without things set up right... had a few problems. A clients customer, had a spam checker that was offsite, that forwards
the email on to the server. so email goes from SenderA to SpamCheckerB. SpamCheckerB scans the email and then forwards on to mailserverC
MailserverC is also set up to check for spam including SPF..... problems is the email has been 'officially' sent from SpamcheckerB and not SenderA.... thus gets rejected by SPF
If senderA doesn;t use SPF it all goes through fine, or if SPF set to ~all goes through fine
Obviously this is a bad set up at the customers end, but if your client or yourself can not send to certain customers (no matter how misconfigured they are, and it being their fault) has a knock on to the business
So please be aware of that if you use -all which is obviously best. Not sure what ?all would do in this case...
so my setting for your SPF would be
v=spf1 +ip4:1.2.3.4 +a:mail.mydomain.com +a:remote.mydomain.com +ip4:x.x.x.x(webserver IP) +a:www.mydomain.com -all
Hope this helps and gives you some trouble shooting ideas in advance -
Hi,
I would need help please in creating an SPF record.
here's the following informations i can provide
Our organization host an exchange server 2010 wish uses popcon to retreive the emails of each users from my mail hosting ISP provider
the purpose of exchange is purely just for mailbox backups, and retrieval of deleted e-mails (Running ESXI5.5 and VEEAM)
our ISP MX record is :
mail.cciaz.org.lb (194.126.18.130)
incomming mail server: webmail.cciaz.org.lb (194.126.18.130)
users outside the organization uses OWA and/or outlook anywhere for some
External owa adress: mail2.cciaz.org.lb (92.62.166.249)
could plz someone point me in the right direction in creating an SPF record
Original problem is:
many users when opening their outlook, receives massive (200+) random receipts (undeliverable) from addresses they dont even know or sent to (ea: canada.com, aol.com,
etc...)
Thank youHi,
For your information:
Configuring DNS, MX, and SPF Records and Settings
http://technet.microsoft.com/en-us/library/ff714972.aspx
Description of Sender Policy Framework (SPF) records
http://support.microsoft.com/kb/2640313
Here is a similar thread:
spf records
http://social.technet.microsoft.com/Forums/windowsserver/en-US/9b5fef7a-1d5f-4b9d-aa9a-2aaa6b2e8e1a/spf-records
Hope this helps.
Maybe you are looking for
-
Does the mini display to vga adapter work with a pc (win 7 64-bit)
Its not a thunderbolt adapter. its a mini display to vga adapter. my hp ency pc has a mini display port next to the hdmi port.
-
Hi All, several records i was done grouping(HC,Product,W materails,s parts,t goods),rest of the records are others.after the grouping material type others is showing #multivalue error. Material Type+ Stock Quantity HC 11,515,835 Product 3,400,01
-
BAPI - Change Payment Terms - FI Document
Hi, I need a BAPI to change the payment terms and the payment method supplement of FI documents. I'm trying the Function Module FI_ITEMS_CHANGE, even though I can change the payment block and some other fields with this one, I'm not able to change th
-
Hey everyone, Is there a way to delete an entry from the database and have that have that change shown in the content server? I am trying to do it but the current method will crash my the indexer in the repo manager. I have a lot of entries that I wa
-
Can somebody tell me why recently I am unable to delete e-mail messages on my I-Pod?
For some reason I am unable to delete certain e-mail messages in my hotmail account. Then when I delete other e-mail messages they re-appear when I check for my mail. Can anybody tell me why this is happening?