Implementing SPF record | Part 8#17 5/5 (1)

The current article is a continuation of the previous article: What is SPF record good for? | Part 7#17

The previous article focused upon the purpose of the SPF record and why is it so important for preventing a scenario, in which spammers could present them self is our legitimate mail server.

This article, focus on the “technical side” of the SPF record such as – the structure of SPF record, the way that we create SPF record, what is the required syntax for the SPF record in an Office 365 environment + Mix mail environment, how to verify the existence of SPF record and so on.

SPF record task list.

Technically speaking, the process of creating and publishing SPF record.

The “issue” is that not all of us are familiar with the importance of the SPF record (this subject discussed in the previous article – What is SPF record good for? | Part 7#17) and about the different technical aspects of SPF records such as:

  • The “content” and the syntax that the SPF record should include
  • How to publish the SPF record
  • How to verify that the SPF record that we have published includes the right syntax and point to our mail server that sends mail on behalf of our organization.

Q: Can you provide me an SPF record task list?

A: The task list of the “SPF record project” include the following tasks:

  1. Understand what should be the content (the information that appears) of our SPF record.
  2. Create an SPF record in our public DNS (publish the information about the SPF record).
  3. Verify that the SPF record was successfully published.
  4. Verify that the SPF record syntax and structure is correct.
  5. Verify that our SPF record includes “pointers” to all of our mail server\s.

SPF Task list

Get the required information for SPF record syntax in an Office 365 environment

Q: How do I know, what is the required “content” for the SPF record of my organization in an Office 365 environment?

A: In Office 365 and Exchange Online environment, the information about the required content of the SPF record appears in the Office 365 management portal, under the DNS setting of your public domain name which was registered.

Important note

1. The uniqueness of the SPF record in Office 365 based environment

The value of the SPF record that appears in the Office 365 management portal is identical to all the Office 365 customers and domain names.

In other words, the SPF record that represents your domain name in Office 365 is not unique or, includes values that are relevant only to your domain name.

The value of the SPF record in Office 365 based on the SPF value named: “include” that point to information about all the available Exchange Online servers which are authorized to send E-mail on behalf of the Office 365 customers.

2. Using the suggested Office 365 value for the SPF record

The “default value” of the SPF record that appears in the Office 365 management portal is suitable only for a “cloud only scenario”.

The meaning is that the value of the SPF record is “right” only in a scenario in which all the organization mail infrastructure hosted at Office 365 and Exchange Online.
In a scenario, in which we use additional mail servers, such as hybrid configuration or mail relay, we should add the information about the “additional mail server” to the “original SPF record” syntax that appears in the portal.

You can read more information in the section: SPF record and “Mixed mail” infrastructure


Get the information about the SPF record

To be able to get the required information about the content of the SPF record, use the following steps:

Login to Office 365 portal, chooses the DOMAINS menu, select the specific domain that you want to see his required DNS record (o365info.com in our scenario), and click on the manage DNS option.

The syntax for the SPF record in Office 365 -01

In the following screenshot, we can see the Exchange Online section, the value of the SPF text record that we will need to create in our public DNS.

The syntax for the SPF record in Office 365 -02

Publish the SPF record on your public DNS

After we got the value for the SPF record in an Office 365 environment, we will need to create the required SPF record in our public DNS server (SPF record is implemented as a text record).

To demonstrate this procedure, I will use my “GoDaddy” DNS management interface” for adding the required SPF record.

Note – it’s oblivious that in case that you use the other DNS management infrastructure, the interface will be different, but the concept stays the same.

Step 1 – add a new record.

  • Choose the option: Add Record

Creating SPF TXT record -01

Step 2 – choose TXT record

  • Select the option of – TXT (Text)
    (Don’t forget that SPF record is just a simple TXT record).

Creating SPF TXT record -02

Step 3 – add the value of the SPF record

  • In the “HOST:” text box ass the @ sign In the TXT VALUE: – Paste or add the value of the SPF record that we got from the Office 365 management portal.

Creating SPF TXT record -03

Step 4 – verify that the SPF record was successfully added

In the following screenshot, we can see that the SPF record (the TXT record) added

Creating SPF TXT record -04

Verifying that the SPF record is published

Q: How to verify that the SPF record is published?

A: To be able to verify that the SPF record is published, we can query any public DNS server and “ask him” to display information about a particular record of a specific domain.

In our scenario, we want to “ask” from a DNS server to display information about all of the TXT records that exist for a particular domain: o365info.com (an SPF record implemented as TXT record)

We will use the command line tool: nslookup for query the DNS server.

  1. Open the command prompt
  2. Type the command: nslookup
  3. Type the command: set type=txt
  4. Type the domain name, in our scenario: o365info.com

In the following screenshot, we can see the information about the SPF record that was configured for the domain. In our scenario, the value of the SPF record is:

v=spf1 include:spf.protection.outlook.com –all

Query DNS for information about SPF record using nslookup

Verifying that SPF record syntax is valid

Using online tools to verify our SPF record

The nslookup tool can help us to query DNS servers about the “existence” of SPF record but, “knowing” that the SPF record exists, doesn’t “tell” as if the SPF record syntax is correct or valid.

To be able to answer the “second part,” in which we want to verify that syntax of the SPF record, we will need to use our “knowledge” or instead, use a free online tool that can examine and check the syntax of our SPF record.

In the next section, we will demonstrate how to check the “validity” of our SPF record using two online web-based tools.

Example 1: using the SPF Record Testing Tools

http://www.kitterman.com/spf/validate.html

In the following example, we use the SPF checker for testing the SPF record the represent the domain name: o365info.com

In the Domain name box: we add the domain name that we want to check.

Using online tools to verify our SPF record -01

In the following screenshot, we can see the result from the test.

Using online tools to verify our SPF record -02

The test found that the domain uses the following SPF record:

The TXT records found for your domain are: v=spf1 include:spf.protection.outlook.com –all

Additionally, the test “approve” that the syntax of our SPF record is correct:

SPF record passed validation test with pySPF (Python SPF library)!

Example 2: using mxtoolbox SPF tool

http://mxtoolbox.com/spf.aspx

Personally, I like to use the mxtoolbox site because the interface are more user-friendly, and the test result includes more detailed information.

Using online tools to verify our SPF record mxtoolbox -03

For example, in the test result of the SPF record, we can see additional information such as:

less than two SPF record found”, the meaning that it’s “OK” because we don’t use more than one SPF record.

Using online tools to verify our SPF record mxtoolbox -04

Additional reading

Attached links to additional SPF validator online tools

SPF record and “Mixed mail” infrastructure

In a scenario which I described as: “Mixed mail infrastructure environment”, we use the Office 365 (Exchange Online) as our mail infrastructure + use an additional mail server that will send E-mail “on behalf” of our domain name.

In this case, we will need to “inform” another mail server that our organization domain name is “represented” by “two different entities”: the Office 365 (Exchange Online) mail server + a particular mail server that is hosted in our organization.

Using SPF Record for inform about our mail servers identity

To be able to demonstrate this type of configuration, let’s use the following scenario:

  • Our mail infrastructure hosted on Office 365 but also, we use on-Premises mail server that uses the public IP address: 212.25.80.239
  • Our organization domain name is: o365info.com

Mixed mail infrastructure environment scenario and SPF Record

Creating the required SPF record

We want to create an SPF record that “confirms” these two different mail servers\ infrastructure.

Q: What is the syntax that I need to use for my SPF record, in case I have an additional mail server\s?

A: We will need to use the “original syntax” of the Office 365 SPF record + add the information about the on-Premise mail server that uses the public IP address: 212.25.80.239

In our scenario, the “original Office 365 SPF record syntax” is:

updated syntax of the Office 365 SPF record -01

We will need to “extend” the original SPF record so; the SPF record will include additional information about our On-Premises mail server.

The SPF record syntax is very “flexible” meaning; we can relate to the other mail server in many ways, such as – A record, MX record, IP4 address, IP6 addresses and so on.

In the following diagram, we can see an example of the “new SPF record” that includes the information about the additional On-Premises mail server that uses the public IP address: 212.25.80.239

updated syntax of the Office 365 SPF record -02

Q: Is there an online tool that could help me in the task of creating the syntax for
my SPF record?

A: Yes, there are a couple of online tools that could describe as – SPF Generator

In the following example, we will use an online SPF Generator of a website named: mailradar

In our scenario, we will need to provide three parameters:

  1. Domain name – in our example our domain name is: o365info.com
  2. The Office 365 SPF syntax that includes all the available Exchange Online server lists: spf.protection.outlook.com
  3. The IP address of our on-Premises mail server: 212.25.80.239

At the bottom of the screen, in the section SPF result, we can see the SPF record “content” that we will need to use (by adding a TXT record to our public DNS server).

SPF Generator - mailradar

My email appears as a spam | Article series index

Now it’s Your Turn!
It is important for us to know your opinion on this article


Summary
Article Name
Implementing SPF record | Part 8#17
Description
The current article is a continuation of the previous article: What is SPF record good for? | Part 7#17The previous article focused upon the purpose of the SPF record and why is it so important for preventing a scenario, in which spammers could present them self is our legitimate mail server.This article, focus on the “technical side” of the SPF record such as – the structure of SPF record, the way that we create SPF record, what is the required syntax for the SPF record in an Office 365 environment + Mix mail environment, how to verify the existence of SPF record and so on.
Author
Publisher Name
o365info.com
Publisher Logo

Please rate this

Print Friendly

Related Post

Eyal Doron on EmailEyal Doron on FacebookEyal Doron on GoogleEyal Doron on LinkedinEyal Doron on PinterestEyal Doron on RssEyal Doron on TwitterEyal Doron on WordpressEyal Doron on Youtube
Eyal Doron
Share your knowledge.
It’s a way to achieve immortality.
Dalai Lama

Leave a Reply

Your email address will not be published. Required fields are marked *