Home » Exchange Server » A Sender Policy Framework (SPF) Primer for Exchange Administrators

A Sender Policy Framework (SPF) Primer for Exchange Administrators

This article is an excerpt from the Exchange Server Troubleshooting Companion.

Email spam continues to be a huge problem for organizations these days, and it usually falls on the Exchange administrator to do something about it. Aside from the usual anti-spam measures we can put in place to protect our own servers from spam, we also need to consider how to prevent spammers from spoofing (imitating) the domain names for our own organization. After all, it can be very embarrassing or cause serious brand damage to have spam and malware that uses your domain name.

To detect spoofed email many receiving servers, particularly those operated by large email providers such as Microsoft, Yahoo, Google, and AOL, will perform a check of the Sender Policy Framework (SPF) record for the sender’s domain when a sending server is attempting to send an email message.

SPF records allow a domain owner to specify which mail servers are permitted to send email for that domain name. When the sending server issues its “MAIL FROM” command in the SMTP conversation, the receiving server will look up the SPF record in the domain name of the MAIL FROM email address to see if there is a match for the source IP address of the SMTP connection.

4-X-SPF_1

If you were reading about SPF records on the internet you may find advice from some websites that it is better to have no SPF record than it is to have an incorrect SPF record. There’s some truth to that, but also some risks. Some mail hosts will reject mail if there is no SPF record for the domain. It tends to be few hosts that do that, but because they are very large mail hosts the impact can be quite noticeable. Ultimately, it is best to have a correctly configured SPF record in DNS for your domain.

An SPF record is simply a TXT record with a certain syntax. The syntax is made up of two parts; mechanisms, and modifiers. Modifiers are optional and are not commonly used except for special circumstances. During management and troubleshooting of transport you’ll most often be dealing with SPF records containing only mechanisms.

The mechanisms for an SPF record define the sets of hosts that can send email from the domain. Mechanisms can be defined by:

  • all – matches any host, and is placed at the end of the SPF record as a “catch all” for any senders that did not match other mechanisms listed ahead of it.
  • ip4 – matches a single IPv4 address or IPv4 network range.
  • ip6 – matches a single IPv6 address of IPv6 network range.
  • a – matches a host name or domain name. The IP addresses that the name resolves to in DNS are matched against the sender’s IP address. This mechanism is useful for matching against a web server IP address based on the domain name.
  • mx – matches against the MX records for the domain. This mechanism is useful when the outbound mail is handled by the same servers as the MX records resolve to for inbound mail.
  • ptr – reverse DNS queries are used to match the sender IP address to the host names that it resolves to. This mechanism is generally not recommended due to the DNS load it causes.
  • exists – simply checks that the domain exists in DNS.
  • include – matches the sender IP against the SPF record another domain. This is commonly used when your outbound email is routing via a cloud service such as Exchange Online Protection.

Mechanisms are used in combination with a qualifier that tells the server what to do when a match is found. The qualifiers are:

  • +” for pass (this is the default if no qualifier is explicitly provided)
  • ” for fail (email from unauthorized hosts should be rejected)
  • ~” for SoftFail (may result in email being accepted but marked as “likely spam”)
  • ?” for Neutral (regardless of the result the email should be accepted)

An example of a mechanism paired with a qualifier is “-all” at the end of an SPF record, which means “Fail/reject email from any sender who did not match an earlier mechanism in the SPF record.”

If this all seems very complicated to you, don’t worry, it starts out that way for everyone who has to deal with SPF records. Fortunately, there are many tools available to help you construct and validate your SPF records. For example, Microsoft provides the Sender ID Framework SPF Record Wizard, which has an awkwardly long name but is nonetheless very useful. Update: Microsoft’s tool has been down for a few months, so you can use the SPF Wizard instead if you need to.

4-X-SPF-2

After entering your domain name the wizard will step you through a series of questions to determine the most likely SPF record that you will need. In this example I answered the questions as follows:

  • Domain’s inbound servers may send mail (in other words, the servers listed as MX records also handle outbound email)
  • An additional domain name whose A record is a valid outbound email server (a common example of this is an externally hosted website that uses its own SMTP service to send notifications and other emails)
  • This domain sends mail only from the IP addresses identified above (in other words, anything else trying to send email from my domain name should be considered unauthorized)

The resulting SPF record looks like this.

4-X-SPF-3

By adding that string as a TXT record in the public DNS zone for the domain name I will have prevented unauthorized email servers from spoofing my domain name. At least, they won’t be able to do it when sending to any receiving server that checks SPF records. Anyone who is not checking SPF records can still receive the spoofed email, but may reject it for other reasons such as spam content or malware.

Apart from tools to generate your own SPF record, many email services will provide you with the exact strings to add to your SPF record. When you add a domain name to Office 365 Microsoft advises you of the SPF record they suggest, which is appropriate for organizations sending their outbound email using Exchange Online Protection. Similarly, email marketing services and SMTP hosting services will also have documented solutions to adjust your SPF record so that you can successfully use their services without your email being rejected.

After you have your SPF record in place you should validate it. And in fact, you should repeat this validation test any time you suspect an external organization may be rejecting your email because of your SPF record. MXToolbox has an SPF record validator that takes a domain name and IP address as input and lets you know what the result will be if that IP address sends email for your domain.

4-X-SPF-4

Aside from the result for that specific IP address, the MXToolbox SPF record lookup tool will also validate the general health of your SPF record for problems such as excessive DNS lookups or syntax problems.

4-X-SPF-5

Despite the importance of SPF records for internet email delivery, your internal mail flow between Exchange servers in your own organization is not dependent on SPF records. The Exchange servers in your organization already understand that other Exchange servers in the same organization are authoritative for your domains.

Note: Take care when modifying SPF records, because it is easy to inadvertently cause all of your domain’s outbound email to be rejected. If there is any doubt you can use a SoftFail qualifier on the “all” mechanism (in other words, use “~all” at the end of your SPF record) for a period of time while you test outbound email against major hosts such as Yahoo and Google. Your SPF records should also be considered any time there is a planned change to your email routing.
Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Exchange Server

18 comments

  1. Iamli Bapen says:

    Hi Paul,
    Any idea why i get error ” One or more addresses has invalid syntax” on Microsoft Sender ID Framework SPF Record Wizard , if I enter two ip’s (one per line) on the “Enter any additional IP addresses (or ranges of addresses) you wish to add to your SPF record (one address or address range per line)” ?

  2. JS says:

    Paul, I’m dealing with a lot of clients right now who have invalid PTR records and are being rejected from Comcast and a few other providers – do you have an article on this? Is there any other way to record the PTR record besides contacting the IP range owner (arin)?

    • Craig Campbell says:

      Hi Mike,

      You would only add the public IPs of the outbound mail servers to your SPF record, and not the internal Exchange servers. If you add the ‘mx’ value to your SPF record like Paul did in the example, it should cover your smart hosts (if they are both inbound and outbound of course).

  3. Marc says:

    It’s important to note, that many Spoofers are putting the spoofed address in the header only, and they use a different address on the envelope that they know have no SPF. This way the SPF test is neutral, but the receiver sees the spoofed address. I do use SPF but it doesn’t mean that your users will not received spoofed email even from domain that have SPFs. You can’t do much for your own domain from this, but to protect your users from receiving spoofed emails, you can increase the score of an address mismatch, I believes that most gateway score it very low. Not sure how you could deal with this on Office 365 or Exchange Online Protection.

    • There’s two things here that can help. The first is that a lack of SPF record will cause some mail hosts to outright reject the mail. Some email security products/services have this as an option you can enable as well. If you’re willing to be that aggressive and reject some legit mail from senders with email admins who haven’t implemented SPF, then it is a good solution 🙂

      The second is that some products (as you say) will score any email that has those characteristics (a different return-path than from address) differently in some way, such as “bulk mail” or “likely spam”. That, combined with other message characteristics (poor IP reputation, content scanning) can often block most spam that tries that technique.

      As always, nothing is foolproof and a layered approach is necessary to achieve the highest rate of detection with a low rate of false positives.

  4. Craig Campbell says:

    Great article Paul,

    One area that may need clarification is: “When the sending server issues its “MAIL FROM” command in the SMTP conversation, the receiving server will look up the SPF record in the domain name of the “From” address to see if there is a match for the source IP address of the SMTP connection.”

    The SPF lookup isn’t done on the ‘From’ address, it is done on the domain in the return-path field. If you do not specify the return-path specifically, it is automatically added to the header with the value from the “From” field.

    The difference in this is important to outline how spammers bypass SPF lookups, as Marc has pointed out.

    Keep up the great work.

    • Jonathan says:

      Paul are you speaking about the X-MAIL-FROM or the From: header?

      One battle we are facing is that the email headers X-MAIL-FROM, Return-Path, X-Sender, envelope-from all contain the outside address (spammer@gmail.com) or whatever crazy mail domain is made available. The issue I’ve been seeing is that it’s only From: field that has been changed. Sometimes the message is made to look like a customer’s address as well as sometimes it’s an address of an employee made to look like it came from that employee asking for information. It’s been more a targeted / spear-fishing thing and not just a spam bot that received a bunch of email addresses from someone’s address book.

      I don’t suppose SPF’s would help combat this type of situation if it’s not going to match anything in the From: field header vs. Return-Path, X-MAIL-FROM, X-Sender.

  5. Reinhard Alexander Kiss says:

    Hello Paul,

    the “Sender ID Framework SPF Record Wizard” in your post contains a dead Link – could you be so kind and provide the correct URL ?

    Thank you very much

    Alex
    Vienna – Austria

    • Matthew Linnett says:

      Hi Alex,

      The link was live at the time of publishing, unfortunately Microsoft have moved / removed the SPF Record Wizard.

      I’ve been creating SPF records for clients over the last few months and, between creating the first SPF record and the second, the Wizard returned an HTTP 500 error.

      Just to add…

      If you use a Smarthost for outbound email, your experience may vary. For instance, some providers maintain a list of their Mail Server IP addresses, making things simple.

      For instance, the UK ISP Zen. To configure the rest of my SPF record I just had to add ‘include:_spf.zen.co.uk’. Whereas, for the UK ISP Demon, I had to add their IP ranges in CIDR format.

  6. Peter says:

    Nice article Paul.

    We are using Westnet email relay filter service (relay-filter.westnet.com.au) and all incoming emails will go through them first. If I want to add SPF record to DNS zone, do I need to mention them in data field?

    • SPF records are for any sending hosts for your domains, in other words, outbound email. So if you’re sending out via Westnet’s servers as a smart host, then yes they should be included in your SPF record (they probably have some specific guidance to help you with that, most providers do).

  7. Tobias says:

    Hi Paul,

    I see that website is not working for creating SPF records do you have a alternative website to use?

    Thanks

  8. Andrew says:

    Hi Paul

    What is the recommended way to setup PTR records if I have 2 X Exchange servers in a DAG?

    The public IP’s are set in the SPF record already and hard fail has been setup.

    However each exchange server has its own public IP for example:
    Server 1 1.2.3.4
    Server 2 1.2.3.5

    mail.domain.com resolves to 1.2.3.4 and reverse lookups work ok

    Scenario is a client sends from Server 2 1.2.3.5 and gets a bounce back

    Client host rejected: cannot find your hostname, [1.2.3.5]

    This is because the PRT is not setup and the destination server is running a PRT check and 1.2.3.5 does not resove back to mail.domain.com.

    So the answer is to ask my ISP to setup PTR records? Does this sound correct?

    • I’m going to assume your send connector has both servers as a source transport server.

      In that case, you need the same DNS, PTR, SPF requirements for both servers’ public IP addresses.

Leave a Reply

Your email address will not be published. Required fields are marked *