This document discusses implementing SPF records, including:
1. The technical process of creating and publishing an SPF record, including understanding the required syntax and verifying that the record is published correctly.
2. How to get the required SPF record syntax for an Office 365 environment from the admin portal.
3. Considerations for "mixed mail" infrastructures that use both Office 365 and additional mail servers, requiring the SPF record to include information about both.
4. Online tools that can help generate and validate SPF records.
1. Page 1 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
IMPLEMENTING SPF RECORD |
PART 8#17
The current article is a continuation of the former article: What
is SPF record good for? | Part 7#17
The former article focused upon the purpose of the SPF record
and why is it so important for preventing a scenario, in which
spammers could present them self is our legitimate mail
server.
This article, focus on the âtechnical sideâ of the SPF record
such as: the structure of SPF record, the way that we create
SPF record, what is the required syntax for the SPF record in
2. Page 2 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
an Office 365 environment + Mix mail environment, how to
verify the existence of SPF record and so on.
SPF record task list.
Technically speaking, the process of creating and publishing
SPF record.
The âissueâ is that not all of us are familiar with the importance
of the SPF record (this subject was discussed in the former
article â What is SPF record good for? | Part 7#17) and about
the different technical aspects of SPF records such as:
ďˇ The âcontentâ and the syntax that the SPF record should include
ďˇ How to publish the SPF record
ďˇ How to verify that the SPF record that we have published
includes the right syntax and point to our mail server that send
mail on behalf of our organization.
Q: Can you provide me an SPF record task list?
A: The task list of the âSPF record projectâ include the following
tasks:
1. Understand what should be the content (the information that
appear) of our SPF record.
2. Create an SPF record in our public DNS (publish the information
about the SPF record).
3. Verify that the SPF record was successfully published.
4. Verify that the SPF record syntax and structure is correct.
5. Verify that our SPF record includes âpointersâ to all of our mail
servers.
3. Page 3 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
Get the required information for SPF record
syntax in an Office 365 environment
Q: How do I know, what is the required âcontentâ for the SPF
record of my organization in an Office 365 environment?
A: In Office 365 and Exchange Online environment, the
information about the required content of the SPF record
appears in the Office 365 management portal, under the DNS
setting of your public domain name who was registered.
Important note
1. The uniqueness of the SPF record in Office 365 based
environment
4. Page 4 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
The value of the SPF record that appears in the Office 365
management portal is identical to all the Office 365 customers
and domain names.
In other words, the SPF record that represents your domain
name in Office 365 is not unique or, includes values that are
relevant only to your domain name.
The value of the SPF record in Office 365 is based on the SPF
value named: âincludeâ that point to an information about all
the available Exchange Online servers who are authorized to
send E-mail on behalf of the Office 365 customers.
2. Using the suggested Office 365 value for the SPF record
The âdefault valueâ of the SPF record that appears in the Office
365 management portal is suitable only for a âcloud only
scenarioâ.
The meaning is that the value of the SPF record is ârightâ only
in a scenario in which all the organization mail infrastructure is
hosted at Office 365 and Exchange Online.
In a scenario, in which we use additional mail servers, such as
hybrid configuration or mail relay, we should add the
information about the âadditional mail serverâ to the âoriginal
SPF recordâ syntax that appears in the portal.
You can read more information in the section: SPF record
and âMixed mailâ infrastructure
Get the information about the SPF record
5. Page 5 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
To be able to get the required information about the content
of the SPF record, use the following steps:
Login to Office 365 portal, choose the DOMAINS menu, choose
the specific domain that you want to see his required DNS
record (o365info.com in our scenario), and click on the manage
DNS option.
In the following screenshot, we can see under the Exchange
Online section the value of the SPF text record that we will
need to create in our public DNS.
6. Page 6 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
Publish the SPF record on your public DNS
After we got the value for the SPF record in an Office 365
environment, we will need to create the required SPF record in
our public DNS server (SPF record is implemented as a text
record).
To demonstrate this procedure, I will use my âGoDaddyâ DNS
management interfaceâ for adding the required SPF record.
Note â itâs oblivious that in case that you use the other DNS
management infrastructure, the interface will be different, but the
concept stays the same.
Step 1 â add a new record.
ďˇ Choose the option: Add Record
7. Page 7 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
Step 2 â choose TXT record
ďˇ Choose the option of: TXT (Text)
(Donât forget that SPF record is just a simple TXT record).
Step 3 â add the value of the SPF record
ďˇ In the âHOST:â text box ass the @ sign In the TXT VALUE: â Paste
or add the value of the SPF record that we got from the Office
365 management portal.
8. Page 8 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
Step 4 â verify that the SPF record was successfully added
In the following screenshot, we can see that the SPF record
(the TXT record) was added
Verifying that the SPF record is published
Q: How to verify that the SPF record is published?
9. Page 9 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
A: To be able to verify that the SPF record is published, we can
query any public DNS server and âask himâ to display
information about a specific record of a specific domain.
In our scenario, we want to âaskâ from a DNS server to display
information about all of the TXT records that exist for a
specific domain: o365info.com (an SPF record is implemented
as TXT record)
We will use the command line tool: nslookup for query the
DNS server.
1. Open the command prompt
2. Type the command: nslookup
3. Type the command: set type=txt
4. Type the domain name, in our scenario: o365info.com
In the following screenshot, we can see the information about
the SPF record that was configured for the domain. In our
scenario, the value of the SPF record is:
v=spf1 include:spf.protection.outlook.com âall
10. Page 10 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
Verifying that SPF record syntax is valid.
Using online tools to verify our SPF record
The nslookup tool can help us to query DNS servers about the
âexistenceâ of SPF record but, âknowingâ that the SPF record
exists, doesnât âtellâ as if the SPF record syntax is correct or
valid.
To be able to answer the âsecond partâ, in which we want to
verify that syntax of the SPF record, we will need to use our
âknowledgeâ or instead, use a free online tool that can
examine and verify the syntax of our SPF record.
In the next section, we will demonstrate how to check the
âvalidityâ of our SPF record using two online web-based tools.
11. Page 11 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
Example 1: using the SPF Record Testing Tools
http://www.kitterman.com/spf/validate.html
In the following example, we use the SPF checker for testing
the SPF record the represent the domain name: o365info.com
In the Domain name box: we add the domain name that we
want to check.
In the following screenshot, we can see the result from the
test.
12. Page 12 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
The test found that the domain uses the following SPF record:
The TXT records found for your domain are: v=spf1
include:spf.protection.outlook.com âall
Additionally, the test âapproveâ that the syntax of our SPF
record is correct:
SPF record passed validation test with pySPF (Python SPF
library)!
Example 2: using mxtoolbox SPF tool
http://mxtoolbox.com/spf.aspx
Personally, I like to use the mxtoolbox site because, the
interface are more user friendly and the test result includes
more detailed information.
13. Page 13 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
For example, in the test result of the SPF record, we can see
additional information such as:
less than two SPF record foundâ, the meaning that itâs âOKâ
because we donât use more than one SPF record.
14. Page 14 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
Additional reading
Attached links to additional SPF validator online tools
ďˇ SPF Record Testing Tools
ďˇ SPF Records
ďˇ Beveridge Hosting â SPF Test
SPF record and âMixed mailâ infrastructure
In a scenario which I described as: âMixed mail infrastructure
environmentâ, we use the Office 365 (Exchange Online) as our
15. Page 15 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
mail infrastructure + use an additional mail server that will
send E-mail âon behalfâ of our domain name.
In this case, we will need to âinformâ another mail server that
our organization domain name is ârepresentedâ by âtwo
different entitiesâ: the Office 365 (Exchange Online) mail server
+ a specific mail server that is hosted in our organization.
To be able to demonstrate this type of configuration, letâs use
the following scenario:
ďˇ Our mail infrastructure is hosted on Office 365 but in addition,
we use on-Premises mail server that uses the public IP address:
212.25.80.239
ďˇ Our organization domain name is: o365info.com
16. Page 16 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
Creating the required SPF record
We want to create an SPF record that âconfirmsâ these two
different mail servers infrastructure.
Q: What is the syntax that I need to use for my SPF record, in
case I have an additional mail servers?
A: We will need to use the âoriginal syntaxâ of the Office 365
SPF record + add the information about the on-Premise mail
server that uses the public IP address: 212.25.80.239
In our scenario, the âoriginal Office 365 SPF record syntaxâ is:
17. Page 17 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
We will need to âextendâ the original SPF record so, the SPF
record will include additional information about our On-
Premises mail server.
The SPF record syntax is very âflexibleâ meaning; we can relate
to the additional mail server in many ways, such as â A record,
MX record, IP4 address, IP6 addresses and so on.
In the following diagram, we can see an example of the ânew
SPF recordâ that includes the information about the additional
On-Premises mail server that uses the public IP address:
212.25.80.239
Q: Is there an online tool that could help me in the task of
creating the syntax for
my SPF record?
A: Yes, there are a couple of online tools that could be
described as: SPF Generator
In the following example, we will use an online SPF Generator
of a website named: mailradar
In our scenario, we will need to provide three parameters:
1. Domain name â in our example our domain name
is: o365info.com
18. Page 18 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
2. The Office 365 SPF syntax that includes all the available
Exchange Online server lists:spf.protection.outlook.com
3. The IP address of our on-Premises mail server: 212.25.80.239
At the bottom of the screen, in the section SPF result, we can
see the SPF record âcontentâ that we will need to use (by
adding a TXT record to our public DNS server).
19. Page 19 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
20. Page 20 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
Additional reading
SPF Generator
ďˇ SPF Wizard
ďˇ Microsoftâs Sender ID Framework SPF Record Wizard
ďˇ SPF Record Generator
ďˇ SPF Wizard
SPF syntax and information
ďˇ How to Check, Test and Validate SPF Record in DNS is
Correct and Valid
ďˇ Sender Policy Framework
ďˇ Sender authentication part 9: SPF Syntax
ďˇ Sender Policy Framework
ďˇ SPF Record Syntax
ďˇ More Information About Txt Record
ďˇ SPF Record Syntax
ďˇ Protect your SMTP domain with SPF records
ďˇ Writing an SPF Record
ďˇ Sender Policy Framework and Sender ID FAQs
ďˇ Managing Exchange Online Sender Protection Framework
Records (SPF)
ďˇ SPF Records â creating and testing
21. Page 21 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
Internal outbound spam in Office 365
environment | Article series index
A quick reference for the article series
My E-mail appears as a spam | Article
series index | Part 0#17
The article index of the complete
article series
Introduction to the concept of internal outbound spam in general
and in Office 365 and Exchange Online environment
My E-mail appears as a spam â
Introduction | Office 365 | Part 1#17
The psychological profile of the
phenomenon: âMy E-mail appears as
a spam!â, possible factors for causing
our E-mail to appear a âspam mailâ,
the definition of internal outbound
spam.
Internal spam in Office 365 â
Introduction | Part 2#17
Review in general the term: âinternal
outbound spamâ, miss conceptions
that relate to this term, the risks that
22. Page 22 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
are involved in this scenario,
outbound spam E-mail policy and
more.
Internal spam in Office 365 â
Introduction | Part 3#17
What are the possible reasons that
could cause to our mail to appear as
spamjunk mail, who or what are this
âelementsâ, that can decide that our
mail is a spam mail?, what are the
possible âreactionsâ of the destination
mail infrastructure that identify our E-
mail as spamjunk mail?.
Commercial E-mail â Using the right
tools | Office 365 | Part 4#17
What is commercial E-mail?
Commercial E-mail as part of the
business process. Why do I think that
Office 365 Exchange Online is
unsuitable for the purpose of
commercial E-mail?
Introduction if the major causes for a scenario in which your
organization E-mail appears as spam
My E-mail appears as spam | The 7
major reasons | Part 5#17
Review three major reasons, that
could lead to a scenario, in which E-
mail that is sent from our
organization identified as spam mail:
23. Page 23 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
1. E-mail content, 2. Violation of the
SMTP standards, 3. BulkMass mail
My E-mail appears as spam | The 7
major reasons | Part 6#17
Review three major reasons, that
could lead to a scenario, in which E-
mail that is sent from our
organization identified as spam mail:
4. False positive, 5. User Desktop
malware, 6. âProblematicâ Website
Introduction if the subject of SPF record in general and in Office
365 environment
What is SPF record good for? | Part
7#17
The purpose of the SPF record and the
relation to for our mail infrastructure.
How does the SPF record enable us to
prevent a scenario in which hostile
elements could send E-mail on our
behalf.
Implementing SPF record | Part 8#17
The âtechnical sideâ of the SPF record:
the structure of SPF record, the way
that we create SPF record, what is the
required syntax for the SPF record in
an Office 365 environment + mix mail
environment, how to verify the
existence of SPF record and so on.
24. Page 24 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
Introduction if the subject of Exchange Online - High Risk Delivery
Pool
High Risk Delivery Pool and Exchange
Online | Part 9#17
How Office 365 (Exchange Online) is
handling a scenario of internal
outbound spam by using the help of
the Exchange Online- High Risk
Delivery Pool.
High Risk Delivery Pool and Exchange
Online | Part 10#17
The second article about the subject
of Exchange Online- High Risk
Delivery Pool.
The troubleshooting path of internal outbound spam scenario
My E-mail appears as spam â
Troubleshooting path | Part 11#17
Troubleshooting scenario of internal
outbound spam in Office 365 and
Exchange Online environment.
Verifying if our domain name is
blacklisted, verifying if the problem is
related to E-mail content, verifying if
the problem is related to specific
organization user E-mail address,
moving the troubleshooting process
to the âother side.
25. Page 25 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
My E-mail appears as spam |
Troubleshooting â Domain name and
E-mail content | Part 12#17 Verify if
our domain name appears as
blacklisted, verify if the problem
relates to a specific E-mail message
content, registering blacklist
monitoring services, activating the
option of Exchange Online outbound
spam.
My E-mail appears as spam |
Troubleshooting â Mail server | Part
13#17
What is the meaning of: âour mail
serverâ?, Mail server IP, host name
and Exchange Online. One of our
users got an NDR which informs him,
that his mail server is blacklisted!,
How do we know that my mail server
is blacklisted?
My E-mail appears as spam |
Troubleshooting â Mail server | Part
14#17
The troubleshooting path logic. Get
the information from the E-mail
message that was identified as
spamNDR. Forwarding a copy of the
NDR message or the message that
saved to the junk mail
26. Page 26 of 26 | Implementing SPF record | Part 8#17
Written by Eyal Doron | o365info.com
My E-mail appears as spam |
Troubleshooting â Mail server | Part
15#17
Step B â Get information about your
Exchange Online infrastructure, Step
C â fetch the information about the
Exchange Online IP address, Step D â
verify if the âformal âExchange Online
IP address a
De-list your organization from a
blacklist | My E-mail appears as spam
| Part 16#17
Review the charters of a scenario in
which your organization appears as
blacklisted. The steps and the
operations that need to be
implemented for de-list your
organization from a blacklist.
Summery and recap of the troubleshooting and best practices in a
scenario of internal outbound spam
Dealing and avoiding internal spam |
Best practices | Part 17#17
Provide a short checklist for all the
steps and the operation that relates
to a scenario of â internal outbound
spam.