This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SPF Record Question

I don't know what the best practices are for creating the spf record.

v=spf1 ip4:12.5.52.36 a:mail.grahamrmc.com -all

My Sophos utm's hostname is vpn.grahamrmc.com with the public ip address 12.5.52.51 and it is needed for the spx portal to work.

The internal fqdn of the exchange server is grmc-mail.noc.grahamrmc.com

Is the "v=spf1 ip4:12.5.52.36 a:mail.grahamrmc.com -all" right according to best practices?

Everything seems to be working ok.




This thread was automatically locked due to age.
Parents
  • You need to examine which device uses 12.5.52.36 (reverse dns points to mail.grahamrmc.com)

    You also have a:mail.grahamrmc.com which says that all A records with that name are also authorized to send mail coming from your domainname. There's currently only one A record with that name also pointing to the 12.5.52.36 address.

    It's not wrong, but these 2 entries are both pointing to the exact same machine on the internet.

    Furthermore you have -all at the end which basically tells receiving mailservers that any other origin than configured should be discarded.

    Like already told, we don't know how your mail flows, but it better get out on the internet through 12.5.52.36 otherwise your sent mails will not arrive in people's mailboxes who do SPF-checking (not a lot do so you'll likely have some people who do receive your mails and some who don't in this case). 


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  •  

    12.5.52.36 is natted to the internal ip of the exchange server and the exchange server is using a sophos appliance as a smart host.  Currently using a Dell Sonicwall as the firewall and trying to replace it with a Sophos UTM.

    Due to the complexity of my network which is a entirely different topic, the Sophos UTM is providing the email protection of my mail.  I got a ES150 to replace the UTM's role in email protection so I can replace the Sonicwall with the UTM without worrying about mail flow.

    Would it show you how my mail flows if I send a email from my work email account to my personal gmail account and post the original message with the spf pass in it?

Reply
  •  

    12.5.52.36 is natted to the internal ip of the exchange server and the exchange server is using a sophos appliance as a smart host.  Currently using a Dell Sonicwall as the firewall and trying to replace it with a Sophos UTM.

    Due to the complexity of my network which is a entirely different topic, the Sophos UTM is providing the email protection of my mail.  I got a ES150 to replace the UTM's role in email protection so I can replace the Sonicwall with the UTM without worrying about mail flow.

    Would it show you how my mail flows if I send a email from my work email account to my personal gmail account and post the original message with the spf pass in it?

Children
  • Yes it would show, but as you say SPF passes in Gmail, then it's setup correctly. And the outflowing mail is also flowing out from the correct IP-address. If that's your only source of outgoing mail then your good. However don't forget about ie. websites that send out mail using your domainname and not flowing out of this IP but are sent directly from the hosting provider. In that case these mails will originate from a different IP and will have an SPF hardfail. Also other equipment (printers, scanners) might use your domainname in outgoing mail but not use the same route for mail to go out.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Worked great except my primary internet went down at 9am today,  quickly removed the spf record because mail is coming from a different ip address at the moment.

  • Then you should change your SPF record to include that other IP before you reactivate SPF.  Your other records have a 2-hour TTL, so your organization could have been unable to send emails for up to two hours to frequently-emailed domains.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA