Embed Size (px)
DESCRIPTION
Implementing SPF record | Part 8#17 http://o365info.com/implementing-spf-record-part-8-17 The “technical side” of the SPF record: the structure of SPF record, the way that we create SPF record, what is the required syntax for the SPF record in an Office 365 environment + mix mail environment, how to verify the existence of SPF record and so on. Eyal Doron | o365info.com
Citation preview
Page 1 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
IMPLEMENTING SPF RECORD |
PART 8#17
The current article is a continuation of the former article: What
is SPF record good for? | Part 7#17
The former article focused upon the purpose of the SPF record
and why is it so important for preventing a scenario, in which
spammers could present them self is our legitimate mail
server.
This article, focus on the “technical side” of the SPF record
such as: the structure of SPF record, the way that we create
SPF record, what is the required syntax for the SPF record in
Page 2 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
an Office 365 environment + Mix mail environment, how to
verify the existence of SPF record and so on.
SPF record task list.
Technically speaking, the process of creating and publishing
SPF record.
The “issue” is that not all of us are familiar with the importance
of the SPF record (this subject was discussed in the former
article – What is SPF record good for? | Part 7#17) and about
the different technical aspects of SPF records such as:
The “content” and the syntax that the SPF record should include
How to publish the SPF record
How to verify that the SPF record that we have published
includes the right syntax and point to our mail server that send
mail on behalf of our organization.
Q: Can you provide me an SPF record task list?
A: The task list of the “SPF record project” include the following
tasks:
1. Understand what should be the content (the information that
appear) of our SPF record.
2. Create an SPF record in our public DNS (publish the information
about the SPF record).
3. Verify that the SPF record was successfully published.
4. Verify that the SPF record syntax and structure is correct.
5. Verify that our SPF record includes “pointers” to all of our mail
server\s.
Page 3 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
Get the required information for SPF record
syntax in an Office 365 environment
Q: How do I know, what is the required “content” for the SPF
record of my organization in an Office 365 environment?
A: In Office 365 and Exchange Online environment, the
information about the required content of the SPF record
appears in the Office 365 management portal, under the DNS
setting of your public domain name who was registered.
Important note
1. The uniqueness of the SPF record in Office 365 based
environment
Page 4 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
The value of the SPF record that appears in the Office 365
management portal is identical to all the Office 365 customers
and domain names.
In other words, the SPF record that represents your domain
name in Office 365 is not unique or, includes values that are
relevant only to your domain name.
The value of the SPF record in Office 365 is based on the SPF
value named: “include” that point to an information about all
the available Exchange Online servers who are authorized to
send E-mail on behalf of the Office 365 customers.
2. Using the suggested Office 365 value for the SPF record
The “default value” of the SPF record that appears in the Office
365 management portal is suitable only for a “cloud only
scenario”.
The meaning is that the value of the SPF record is “right” only
in a scenario in which all the organization mail infrastructure is
hosted at Office 365 and Exchange Online.
In a scenario, in which we use additional mail servers, such as
hybrid configuration or mail relay, we should add the
information about the “additional mail server” to the “original
SPF record” syntax that appears in the portal.
You can read more information in the section: SPF record
and “Mixed mail” infrastructure
Get the information about the SPF record
Page 5 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
To be able to get the required information about the content
of the SPF record, use the following steps:
Login to Office 365 portal, choose the DOMAINS menu, choose
the specific domain that you want to see his required DNS
record (o365info.com in our scenario), and click on the manage
DNS option.
In the following screenshot, we can see under the Exchange
Online section the value of the SPF text record that we will
need to create in our public DNS.
Page 6 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
Publish the SPF record on your public DNS
After we got the value for the SPF record in an Office 365
environment, we will need to create the required SPF record in
our public DNS server (SPF record is implemented as a text
record).
To demonstrate this procedure, I will use my “GoDaddy” DNS
management interface” for adding the required SPF record.
Note – it’s oblivious that in case that you use the other DNS
management infrastructure, the interface will be different, but the
concept stays the same.
Step 1 – add a new record.
Choose the option: Add Record
Page 7 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
Step 2 – choose TXT record
Choose the option of: TXT (Text)
(Don’t forget that SPF record is just a simple TXT record).
Step 3 – add the value of the SPF record
In the “HOST:” text box ass the @ sign In the TXT VALUE: – Paste
or add the value of the SPF record that we got from the Office
365 management portal.
Page 8 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
Step 4 – verify that the SPF record was successfully added
In the following screenshot, we can see that the SPF record
(the TXT record) was added
Verifying that the SPF record is published
Q: How to verify that the SPF record is published?
Page 9 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
A: To be able to verify that the SPF record is published, we can
query any public DNS server and “ask him” to display
information about a specific record of a specific domain.
In our scenario, we want to “ask” from a DNS server to display
information about all of the TXT records that exist for a
specific domain: o365info.com (an SPF record is implemented
as TXT record)
We will use the command line tool: nslookup for query the
DNS server.
1. Open the command prompt
2. Type the command: nslookup
3. Type the command: set type=txt
4. Type the domain name, in our scenario: o365info.com
In the following screenshot, we can see the information about
the SPF record that was configured for the domain. In our
scenario, the value of the SPF record is:
v=spf1 include:spf.protection.outlook.com –all
Page 10 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
Verifying that SPF record syntax is valid.
Using online tools to verify our SPF record
The nslookup tool can help us to query DNS servers about the
“existence” of SPF record but, “knowing” that the SPF record
exists, doesn’t “tell” as if the SPF record syntax is correct or
valid.
To be able to answer the “second part”, in which we want to
verify that syntax of the SPF record, we will need to use our
“knowledge” or instead, use a free online tool that can
examine and verify the syntax of our SPF record.
In the next section, we will demonstrate how to check the
“validity” of our SPF record using two online web-based tools.
Page 11 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
Example 1: using the SPF Record Testing Tools
http://www.kitterman.com/spf/validate.html
In the following example, we use the SPF checker for testing
the SPF record the represent the domain name: o365info.com
In the Domain name box: we add the domain name that we
want to check.
In the following screenshot, we can see the result from the
test.
Page 12 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
The test found that the domain uses the following SPF record:
The TXT records found for your domain are: v=spf1
include:spf.protection.outlook.com –all
Additionally, the test “approve” that the syntax of our SPF
record is correct:
SPF record passed validation test with pySPF (Python SPF
library)!
Example 2: using mxtoolbox SPF tool
http://mxtoolbox.com/spf.aspx
Personally, I like to use the mxtoolbox site because, the
interface are more user friendly and the test result includes
more detailed information.
Page 13 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
For example, in the test result of the SPF record, we can see
additional information such as:
less than two SPF record found”, the meaning that it’s “OK”
because we don’t use more than one SPF record.
Page 14 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
Additional reading
Attached links to additional SPF validator online tools
SPF Record Testing Tools
SPF Records
Beveridge Hosting – SPF Test
SPF record and “Mixed mail” infrastructure
In a scenario which I described as: “Mixed mail infrastructure
environment”, we use the Office 365 (Exchange Online) as our
Page 15 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
mail infrastructure + use an additional mail server that will
send E-mail “on behalf” of our domain name.
In this case, we will need to “inform” another mail server that
our organization domain name is “represented” by “two
different entities”: the Office 365 (Exchange Online) mail server
+ a specific mail server that is hosted in our organization.
To be able to demonstrate this type of configuration, let’s use
the following scenario:
Our mail infrastructure is hosted on Office 365 but in addition,
we use on-Premises mail server that uses the public IP address:
212.25.80.239
Our organization domain name is: o365info.com
Page 16 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
Creating the required SPF record
We want to create an SPF record that “confirms” these two
different mail servers\ infrastructure.
Q: What is the syntax that I need to use for my SPF record, in
case I have an additional mail server\s?
A: We will need to use the “original syntax” of the Office 365
SPF record + add the information about the on-Premise mail
server that uses the public IP address: 212.25.80.239
In our scenario, the “original Office 365 SPF record syntax” is:
Page 17 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
We will need to “extend” the original SPF record so, the SPF
record will include additional information about our On-
Premises mail server.
The SPF record syntax is very “flexible” meaning; we can relate
to the additional mail server in many ways, such as – A record,
MX record, IP4 address, IP6 addresses and so on.
In the following diagram, we can see an example of the “new
SPF record” that includes the information about the additional
On-Premises mail server that uses the public IP address:
212.25.80.239
Q: Is there an online tool that could help me in the task of
creating the syntax for
my SPF record?
A: Yes, there are a couple of online tools that could be
described as: SPF Generator
In the following example, we will use an online SPF Generator
of a website named: mailradar
In our scenario, we will need to provide three parameters:
1. Domain name – in our example our domain name
is: o365info.com
Page 18 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
2. The Office 365 SPF syntax that includes all the available
Exchange Online server lists:spf.protection.outlook.com
3. The IP address of our on-Premises mail server: 212.25.80.239
At the bottom of the screen, in the section SPF result, we can
see the SPF record “content” that we will need to use (by
adding a TXT record to our public DNS server).
Page 19 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
Page 20 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
Additional reading
SPF Generator
SPF Wizard
Microsoft’s Sender ID Framework SPF Record Wizard
SPF Record Generator
SPF Wizard
SPF syntax and information
How to Check, Test and Validate SPF Record in DNS is
Correct and Valid
Sender Policy Framework
Sender authentication part 9: SPF Syntax
Sender Policy Framework
SPF Record Syntax
More Information About Txt Record
SPF Record Syntax
Protect your SMTP domain with SPF records
Writing an SPF Record
Sender Policy Framework and Sender ID FAQs
Managing Exchange Online Sender Protection Framework
Records (SPF)
SPF Records – creating and testing
Page 21 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
Internal \ outbound spam in Office 365
environment | Article series index
A quick reference for the article series
My E-mail appears as a spam | Article
series index | Part 0#17
The article index of the complete
article series
Introduction to the concept of internal \ outbound spam in general
and in Office 365 and Exchange Online environment
My E-mail appears as a spam –
Introduction | Office 365 | Part 1#17
The psychological profile of the
phenomenon: “My E-mail appears as
a spam!”, possible factors for causing
our E-mail to appear a “spam mail”,
the definition of internal \ outbound
spam.
Internal spam in Office 365 –
Introduction | Part 2#17
Review in general the term: “internal \
outbound spam”, miss conceptions
that relate to this term, the risks that
Page 22 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
are involved in this scenario,
outbound spam E-mail policy and
more.
Internal spam in Office 365 –
Introduction | Part 3#17
What are the possible reasons that
could cause to our mail to appear as
spam\junk mail, who or what are this
“elements”, that can decide that our
mail is a spam mail?, what are the
possible “reactions” of the destination
mail infrastructure that identify our E-
mail as spam\junk mail?.
Commercial E-mail – Using the right
tools | Office 365 | Part 4#17
What is commercial E-mail?
Commercial E-mail as part of the
business process. Why do I think that
Office 365\ Exchange Online is
unsuitable for the purpose of
commercial E-mail?
Introduction if the major causes for a scenario in which your
organization E-mail appears as spam
My E-mail appears as spam | The 7
major reasons | Part 5#17
Review three major reasons, that
could lead to a scenario, in which E-
mail that is sent from our
organization identified as spam mail:
Page 23 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
1. E-mail content, 2. Violation of the
SMTP standards, 3. Bulk\Mass mail
My E-mail appears as spam | The 7
major reasons | Part 6#17
Review three major reasons, that
could lead to a scenario, in which E-
mail that is sent from our
organization identified as spam mail:
4. False positive, 5. User Desktop
malware, 6. “Problematic” Website
Introduction if the subject of SPF record in general and in Office
365 environment
What is SPF record good for? | Part
7#17
The purpose of the SPF record and the
relation to for our mail infrastructure.
How does the SPF record enable us to
prevent a scenario in which hostile
elements could send E-mail on our
behalf.
Implementing SPF record | Part 8#17
The “technical side” of the SPF record:
the structure of SPF record, the way
that we create SPF record, what is the
required syntax for the SPF record in
an Office 365 environment + mix mail
environment, how to verify the
existence of SPF record and so on.
Page 24 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
Introduction if the subject of Exchange Online - High Risk Delivery
Pool
High Risk Delivery Pool and Exchange
Online | Part 9#17
How Office 365 (Exchange Online) is
handling a scenario of internal \
outbound spam by using the help of
the Exchange Online- High Risk
Delivery Pool.
High Risk Delivery Pool and Exchange
Online | Part 10#17
The second article about the subject
of Exchange Online- High Risk
Delivery Pool.
The troubleshooting path of internal \ outbound spam scenario
My E-mail appears as spam –
Troubleshooting path | Part 11#17
Troubleshooting scenario of internal \
outbound spam in Office 365 and
Exchange Online environment.
Verifying if our domain name is
blacklisted, verifying if the problem is
related to E-mail content, verifying if
the problem is related to specific
organization user E-mail address,
moving the troubleshooting process
to the “other side.
Page 25 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
My E-mail appears as spam |
Troubleshooting – Domain name and
E-mail content | Part 12#17 Verify if
our domain name appears as
blacklisted, verify if the problem
relates to a specific E-mail message
content, registering blacklist
monitoring services, activating the
option of Exchange Online outbound
spam.
My E-mail appears as spam |
Troubleshooting – Mail server | Part
13#17
What is the meaning of: “our mail
server”?, Mail server IP, host name
and Exchange Online. One of our
users got an NDR which informs him,
that his mail server is blacklisted!,
How do we know that my mail server
is blacklisted?
My E-mail appears as spam |
Troubleshooting – Mail server | Part
14#17
The troubleshooting path logic. Get
the information from the E-mail
message that was identified as
spam\NDR. Forwarding a copy of the
NDR message or the message that
saved to the junk mail
Page 26 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
My E-mail appears as spam |
Troubleshooting – Mail server | Part
15#17
Step B – Get information about your
Exchange Online infrastructure, Step
C – fetch the information about the
Exchange Online IP address, Step D –
verify if the “formal “Exchange Online
IP address a
De-list your organization from a
blacklist | My E-mail appears as spam
| Part 16#17
Review the charters of a scenario in
which your organization appears as
blacklisted. The steps and the
operations that need to be
implemented for de-list your
organization from a blacklist.
Summery and recap of the troubleshooting and best practices in a
scenario of internal \ outbound spam
Dealing and avoiding internal spam |
Best practices | Part 17#17
Provide a short checklist for all the
steps and the operation that relates
to a scenario of – internal \ outbound
spam.
