Comments on: A Sender Policy Framework (SPF) Primer for Exchange Administrators https://practical365.com/a-sender-policy-framework-spf-primer-for-exchange-administrators/ Practical Office 365 News, Tips, and Tutorials Tue, 09 May 2023 13:54:49 +0000 hourly 1 https://wordpress.org/?v=6.6.1 By: Paul: Do You Really Need an SPF Record? – Seo On Exchange https://practical365.com/a-sender-policy-framework-spf-primer-for-exchange-administrators/#comment-160640 Thu, 02 Aug 2018 14:14:28 +0000 https://www.practical365.com/?p=12175#comment-160640 […] PF records are used to prevent spammers from spoofing your domain name. Recipient servers can use the SPF record you publish in DNS to determine whether an email that they have received has come from an authorized server or not. They can then make a decision about how to treat that email. You can read a more detailed run down of SPF records here. […]

]]> By: Dan https://practical365.com/a-sender-policy-framework-spf-primer-for-exchange-administrators/#comment-160435 Wed, 18 Jul 2018 12:20:37 +0000 https://www.practical365.com/?p=12175#comment-160435 Paul, thank you for such good articles and explanations.
I would like to ask if we should disable in exchange2013 with:
Set-SenderIDConfig -Enabled $false
when we have an external email security gateway which does the spf check for us.
Is that safe?
thank you

]]> By: <div class="apbct-real-user-wrapper"> <div class="apbct-real-user-author-name">Paul Cunningham</div> <div class="apbct-real-user-badge" onmouseover=" let popup = document.getElementById('apbct_trp_comment_id_159683'); popup.style.display = 'inline-flex'; "> <div class="apbct-real-user-popup" id="apbct_trp_comment_id_159683"> <div class="apbct-real-user-title"> <p class="apbct-real-user-popup-header">The Real Person!</p> <p class="apbct-real-user-popup-text">Author <b>Paul Cunningham</b> acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.</p> </div> </div> </div> </div> https://practical365.com/a-sender-policy-framework-spf-primer-for-exchange-administrators/#comment-159683 Thu, 21 Jun 2018 11:48:24 +0000 https://www.practical365.com/?p=12175#comment-159683 In reply to bc.

I don’t think Exchange has this capability. You should implement an email security product or service to filter the mail and look for those kinds of signals. Most antispam products like Exchange Online Protection should catch it.

]]> By: bc https://practical365.com/a-sender-policy-framework-spf-primer-for-exchange-administrators/#comment-159662 Thu, 21 Jun 2018 01:57:07 +0000 https://www.practical365.com/?p=12175#comment-159662 hi Paul, I have a concern for envelope sender and “from address”
Can exchange server catch it if envelope sender is different from “from address”?

Most spammer, phishing email, the “from address ” using friendly email addresses ,looks like customer,boss,etc
and the envelope sender , spammer can send email via SPF pass email service provider.
some users may get trapped in this kind of emails.

So i want to indicate user about possible spam if envelope sender vs “from address” are different.
I check external email gateway, and exchange server 2013 does not have this feature.
Do you have any idea?

]]> By: Alan Doherty https://practical365.com/a-sender-policy-framework-spf-primer-for-exchange-administrators/#comment-157571 Tue, 06 Mar 2018 02:45:22 +0000 https://www.practical365.com/?p=12175#comment-157571 its worth pointing out microsoft products DO NOT check use spf
they use an incompatible (and abandoned) protocol sender-id

all users of SPF records must (to be received correctly by systems running exchange/sender-id) have a null sender-id policy also (or their correct spf policy will be mis-used as a sender-id policy

the sender-id policy is thus
“spf2.0/pra ?all”
meaning if checking from: header (sender-id) return neutral
and their normal spf
“v=spf1 ip4:xx.xx.xx.xx ip4:xx.xx.xx.xx ip4:xx.xx.xx.xx ip4:xx.xx.xx.xx -all”

also note when testing a new spf policy the terminator should only ever be ?all (aka ignore failures)

http://www.alandoherty.net/info/mailservers/spf/

]]> By: <div class="apbct-real-user-wrapper"> <div class="apbct-real-user-author-name">Paul Cunningham</div> <div class="apbct-real-user-badge" onmouseover=" let popup = document.getElementById('apbct_trp_comment_id_152465'); popup.style.display = 'inline-flex'; "> <div class="apbct-real-user-popup" id="apbct_trp_comment_id_152465"> <div class="apbct-real-user-title"> <p class="apbct-real-user-popup-header">The Real Person!</p> <p class="apbct-real-user-popup-text">Author <b>Paul Cunningham</b> acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.</p> </div> </div> </div> </div> https://practical365.com/a-sender-policy-framework-spf-primer-for-exchange-administrators/#comment-152465 Fri, 15 Sep 2017 22:27:01 +0000 https://www.practical365.com/?p=12175#comment-152465 In reply to Lee Johnson.

I recommend looking at it. I haven’t spent enough time with it to give a thorough pros/cons view of it.

]]> By: Lee Johnson https://practical365.com/a-sender-policy-framework-spf-primer-for-exchange-administrators/#comment-152226 Thu, 14 Sep 2017 15:37:06 +0000 https://www.practical365.com/?p=12175#comment-152226 Hi Paul, do you recommend DMARC? And what’s your opinion on it, i.e. pro’s and con’s. Would appreciate your thoughts.

Thanks. Lee

]]> By: Do You Really Need an SPF Record? https://practical365.com/a-sender-policy-framework-spf-primer-for-exchange-administrators/#comment-150579 Thu, 07 Sep 2017 11:33:07 +0000 https://www.practical365.com/?p=12175#comment-150579 […] some time now I've considered Sender Policy Framework (SPF) records an essential part of domain name ownership. As it turns out there's still some debate in tech […]

]]> By: <div class="apbct-real-user-wrapper"> <div class="apbct-real-user-author-name">Paul Cunningham</div> <div class="apbct-real-user-badge" onmouseover=" let popup = document.getElementById('apbct_trp_comment_id_23379'); popup.style.display = 'inline-flex'; "> <div class="apbct-real-user-popup" id="apbct_trp_comment_id_23379"> <div class="apbct-real-user-title"> <p class="apbct-real-user-popup-header">The Real Person!</p> <p class="apbct-real-user-popup-text">Author <b>Paul Cunningham</b> acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.</p> </div> </div> </div> </div> https://practical365.com/a-sender-policy-framework-spf-primer-for-exchange-administrators/#comment-23379 Fri, 03 Jun 2016 00:33:38 +0000 https://www.practical365.com/?p=12175#comment-23379 In reply to Andrew.

I’m going to assume your send connector has both servers as a source transport server.

In that case, you need the same DNS, PTR, SPF requirements for both servers’ public IP addresses.

]]> By: Andrew https://practical365.com/a-sender-policy-framework-spf-primer-for-exchange-administrators/#comment-23378 Thu, 02 Jun 2016 12:32:38 +0000 https://www.practical365.com/?p=12175#comment-23378 Hi Paul

What is the recommended way to setup PTR records if I have 2 X Exchange servers in a DAG?

The public IP’s are set in the SPF record already and hard fail has been setup.

However each exchange server has its own public IP for example:
Server 1 1.2.3.4
Server 2 1.2.3.5

mail.domain.com resolves to 1.2.3.4 and reverse lookups work ok

Scenario is a client sends from Server 2 1.2.3.5 and gets a bounce back

Client host rejected: cannot find your hostname, [1.2.3.5]

This is because the PRT is not setup and the destination server is running a PRT check and 1.2.3.5 does not resove back to mail.domain.com.

So the answer is to ask my ISP to setup PTR records? Does this sound correct?

]]>