The current article is a continuation of the previous article: What is SPF record good for? | Part 7#17
The previous article focused upon the purpose of the SPF record and why is it so important for preventing a scenario, in which spammers could present them self is our legitimate mail server.
This article, focus on the “technical side” of the SPF record such as – the structure of SPF record, the way that we create SPF record, what is the required syntax for the SPF record in an Office 365 environment + Mix mail environment, how to verify the existence of SPF record and so on.
Table of content
Article Series Table of content | Click to Expand
- My E-mail appears as a spam – Introduction | Office 365 | Part 1#17
- Internal spam in Office 365 – Introduction | Part 2#17
- Internal spam in Office 365 – Introduction | Part 3#17
- Commercial E-mail – Using the right tools | Office 365 | Part 4#17
- My E-mail appears as spam | The 7 major reasons | Part 5#17
- My E-mail appears as spam | The 7 major reasons | Part 6#17
- What is SPF record good for? | Part 7#17
- Implementing SPF record | Part 8#17
- High Risk Delivery Pool and Exchange Online | Part 9#17
- High Risk Delivery Pool and Exchange Online | Part 10#17
- My E-mail appears as spam – Troubleshooting path | Part 11#17
- My E-mail appears as spam | Troubleshooting – Domain name and E-mail content | Part 12#17
- My E-mail appears as spam | Troubleshooting – Mail server | Part 13#17
- My E-mail appears as spam | Troubleshooting – Mail server | Part 14#17
- My E-mail appears as spam | Troubleshooting – Mail server | Part 15#17
- De-list your organization from a blacklist | My E-mail appears as spam | Part 16#17
- Dealing and avoiding internal spam | Best practices | Part 17#17
SPF record task list.
Technically speaking, the process of creating and publishing SPF record.
The “issue” is that not all of us are familiar with the importance of the SPF record (this subject discussed in the previous article – What is SPF record good for? | Part 7#17) and about the different technical aspects of SPF records such as:
- The “content” and the syntax that the SPF record should include
- How to publish the SPF record
- How to verify that the SPF record that we have published includes the right syntax and point to our mail server that sends mail on behalf of our organization.
Q: Can you provide me an SPF record task list?
A: The task list of the “SPF record project” include the following tasks:
- Understand what should be the content (the information that appears) of our SPF record.
- Create an SPF record in our public DNS (publish the information about the SPF record).
- Verify that the SPF record was successfully published.
- Verify that the SPF record syntax and structure is correct.
- Verify that our SPF record includes “pointers” to all of our mail server\s.
Get the required information for SPF record syntax in an Office 365 environment
Q: How do I know, what is the required “content” for the SPF record of my organization in an Office 365 environment?
A: In Office 365 and Exchange Online environment, the information about the required content of the SPF record appears in the Office 365 management portal, under the DNS setting of your public domain name which was registered.
1. The uniqueness of the SPF record in Office 365 based environment
The value of the SPF record that appears in the Office 365 management portal is identical to all the Office 365 customers and domain names.
In other words, the SPF record that represents your domain name in Office 365 is not unique or, includes values that are relevant only to your domain name.
The value of the SPF record in Office 365 based on the SPF value named: “include” that point to information about all the available Exchange Online servers which are authorized to send E-mail on behalf of the Office 365 customers.
2. Using the suggested Office 365 value for the SPF record
The “default value” of the SPF record that appears in the Office 365 management portal is suitable only for a “cloud only scenario”.
The meaning is that the value of the SPF record is “right” only in a scenario in which all the organization mail infrastructure hosted at Office 365 and Exchange Online.
In a scenario, in which we use additional mail servers, such as hybrid configuration or mail relay, we should add the information about the “additional mail server” to the “original SPF record” syntax that appears in the portal.
To be able to get the required information about the content of the SPF record, use the following steps:
Login to Office 365 portal, chooses the DOMAINS menu, select the specific domain that you want to see his required DNS record (o365info.com in our scenario), and click on the manage DNS option.
In the following screenshot, we can see the Exchange Online section, the value of the SPF text record that we will need to create in our public DNS.
Publish the SPF record on your public DNS
After we got the value for the SPF record in an Office 365 environment, we will need to create the required SPF record in our public DNS server (SPF record is implemented as a text record).
To demonstrate this procedure, I will use my “GoDaddy” DNS management interface” for adding the required SPF record.
Step 1 – add a new record.
- Choose the option: Add Record
Step 2 – choose TXT record
- Select the option of – TXT (Text)
(Don’t forget that SPF record is just a simple TXT record).
Step 3 – add the value of the SPF record
- In the “HOST:” text box ass the @ sign In the TXT VALUE: – Paste or add the value of the SPF record that we got from the Office 365 management portal.
Step 4 – verify that the SPF record was successfully added
In the following screenshot, we can see that the SPF record (the TXT record) added
Verifying that the SPF record is published
Q: How to verify that the SPF record is published?
A: To be able to verify that the SPF record is published, we can query any public DNS server and “ask him” to display information about a particular record of a specific domain.
In our scenario, we want to “ask” from a DNS server to display information about all of the TXT records that exist for a particular domain: o365info.com (an SPF record implemented as TXT record)
We will use the command line tool: nslookup for query the DNS server.
- Open the command prompt
- Type the command: nslookup
- Type the command: set type=txt
- Type the domain name, in our scenario: o365info.com
In the following screenshot, we can see the information about the SPF record that was configured for the domain. In our scenario, the value of the SPF record is:
v=spf1 include:spf.protection.outlook.com –all
Verifying that SPF record syntax is valid
Using online tools to verify our SPF record
The nslookup tool can help us to query DNS servers about the “existence” of SPF record but, “knowing” that the SPF record exists, doesn’t “tell” as if the SPF record syntax is correct or valid.
To be able to answer the “second part,” in which we want to verify that syntax of the SPF record, we will need to use our “knowledge” or instead, use a free online tool that can examine and check the syntax of our SPF record.
In the next section, we will demonstrate how to check the “validity” of our SPF record using two online web-based tools.
Example 1: using the SPF Record Testing Tools
In the following example, we use the SPF checker for testing the SPF record the represent the domain name: o365info.com
In the Domain name box: we add the domain name that we want to check.
In the following screenshot, we can see the result from the test.
The test found that the domain uses the following SPF record:
The TXT records found for your domain are: v=spf1 include:spf.protection.outlook.com –all
Additionally, the test “approve” that the syntax of our SPF record is correct:
SPF record passed validation test with pySPF (Python SPF library)!
Example 2: using mxtoolbox SPF tool
Personally, I like to use the mxtoolbox site because the interface are more user-friendly, and the test result includes more detailed information.
For example, in the test result of the SPF record, we can see additional information such as:
less than two SPF record found”, the meaning that it’s “OK” because we don’t use more than one SPF record.
Attached links to additional SPF validator online tools
SPF record and “Mixed mail” infrastructure
In a scenario which I described as: “Mixed mail infrastructure environment”, we use the Office 365 (Exchange Online) as our mail infrastructure + use an additional mail server that will send E-mail “on behalf” of our domain name.
In this case, we will need to “inform” another mail server that our organization domain name is “represented” by “two different entities”: the Office 365 (Exchange Online) mail server + a particular mail server that is hosted in our organization.
To be able to demonstrate this type of configuration, let’s use the following scenario:
- Our mail infrastructure hosted on Office 365 but also, we use on-Premises mail server that uses the public IP address: 184.108.40.206
- Our organization domain name is: o365info.com
Creating the required SPF record
We want to create an SPF record that “confirms” these two different mail servers\ infrastructure.
Q: What is the syntax that I need to use for my SPF record, in case I have an additional mail server\s?
A: We will need to use the “original syntax” of the Office 365 SPF record + add the information about the on-Premise mail server that uses the public IP address: 220.127.116.11
In our scenario, the “original Office 365 SPF record syntax” is:
We will need to “extend” the original SPF record so; the SPF record will include additional information about our On-Premises mail server.
The SPF record syntax is very “flexible” meaning; we can relate to the other mail server in many ways, such as – A record, MX record, IP4 address, IP6 addresses and so on.
In the following diagram, we can see an example of the “new SPF record” that includes the information about the additional On-Premises mail server that uses the public IP address: 18.104.22.168
Q: Is there an online tool that could help me in the task of creating the syntax for
my SPF record?
A: Yes, there are a couple of online tools that could describe as – SPF Generator
In the following example, we will use an online SPF Generator of a website named: mailradar
In our scenario, we will need to provide three parameters:
- Domain name – in our example our domain name is: o365info.com
- The Office 365 SPF syntax that includes all the available Exchange Online server lists: spf.protection.outlook.com
- The IP address of our on-Premises mail server: 22.214.171.124
At the bottom of the screen, in the section SPF result, we can see the SPF record “content” that we will need to use (by adding a TXT record to our public DNS server).
SPF syntax and information
- How to Check, Test and Validate SPF Record in DNS is Correct and Valid
- Sender Policy Framework
- Sender authentication part 9: SPF Syntax
- Sender Policy Framework
- SPF Record Syntax
- More Information About Txt Record
- SPF Record Syntax
- Protect your SMTP domain with SPF records
- Writing an SPF Record
- Sender Policy Framework and Sender ID FAQs
- Managing Exchange Online Sender Protection Framework Records (SPF)
- SPF Records – creating and testing
It is important for us to know your opinion on this article