Need help setting up a spf record

**Dizzy** · 2012-01-19 14:16

I need to create a spf record for my office's mail server and I used the Microsoft wizard provided here. I dropped the result into a .txt in the DNS and reloaded and refreshed the mail server's forward lookup zone. However when I went to check if it was working properly with this web tool, it was unable to find my spf record. I read on some sites (yes I've googled my problem multiple times) that it can take up to 48 hours to propagate but the record I made on Tuesday didn't show up either.

I'm hoping I just missed a step or my spf is wrong. I'll dump my censored spf below.

v=spf1
a
mx
ip4: (mail server's IP here)
mx: (mail server's domain here)
ip4: (business's Static IP here)
ip4: (list of 31 IPs of outside mail servers)
include:constantcontact.com
include:nutshellmail.com
mx:constantcontact.com
mx:nutshellmail.com
+all

I need to set this up because since around Christmas some ISPs have been blocking us from emailing our clients

**Teorem** · 2012-01-19 15:25

It's difficult to tell because if there's a syntax error involved, it could be included in the values that you edited out.

- Is your zone reading the latest version of your zone file? Depending on how you edit zone files in your zone, did you remember to increment the serial number? Try looking up the SOA record for the domain to see if the serial numbers match; if the serial number in the zone file is more recent, there may be an error logged by named indicating why it did not reload the new zone file.
- There shouldn't be spaces in between the "ip4:" mechanism and the IP address value (e.g., "ip4:10.100.0.0/16" and not "ip4: 10.100.0.0/16")

And although it's not an error, do you really, really want "+all"? You're basically allowing any machine to send mail on your domain's behalf; you probably want "-all" to limit the list of allowed senders to the ones you have listed in the SPF record.

**Dizzy** · 2012-01-19 16:08

The serial number was incremented yes but which serial numbers are supposed to match? There's one SOA for each of the forward lookup zones but they all have different serial numbers. There's also no errors reported for this year in the DNS. Right now the domain.com's SOA is pointing to domain.local as the primary server, does that need to be changed? All this stuff in the DNS Manager is at defaults from when the tech guy set up our network for us about 1½ years ago.

Yeah sorry I just added the spaces for the OP so that it wouldn't make the smileys, there's no spacing at all in the .txt. Every IP is on it's own line.

I took your advice and changed it to -all. Now if I can just get it to work!

Here's what I'm looking at in the forward lookup zones if it helps any.

Spoiler: show

**Teorem** · 2012-01-19 16:38

I'm admittedly less familiar with DNS managed by Windows Server, so the data field looks odd; in the record itself, the entries shouldn't be comma-delimited.

When I say to compare serial numbers, I mean to look up the SOA record (via dig or some other utility) to see whether the serial number of your zone file matches the copy of the zone file which has propagated out. For example:

$ dig usc.edu SOA | grep SOA
; <<>> DiG 9.7.3-P3 <<>> usc.edu SOA
;usc.edu. IN SOA
usc.edu. 3600 IN SOA kaus.usc.edu. root.usc.edu. 2009113408 3600 1800 360000 3600

Looking at the record, I can see that the name server has properly loaded the zone file serial number 2009113408, which includes any updates made in that version of the file. A similar look up for your zone should reflect a serial number greater than or equal to the one that contains your new TXT record; if it doesn't, the name server doesn't have the updated value yet and the SPF record wouldn't be available.

When you used the SPF Record Testing Tool (the webtool you linked to above) and tested your domain, did it find a TXT record at all? This should be reflected in the first few lines of the tool's output.

Edit: However DNS Manager allows you to enter the value for the TXT record, I would try just putting it on a single line if possible. Also, you can PM me the domain if you want me to check it out from the outside.

**Dizzy** · 2012-01-19 19:23

This is what I get when I use the SPF record tester

SPF records are published in DNS as TXT records. No TXT records found for your domain.

SPF records should also be published in DNS as type SPF records.

No type SPF records found.

I initially tried putting it on just one line because that's how Microsoft's wizard outputs it by default but because there were so many individual IPs the DNS Manager refused to read it. I tried using the wrap text option and that put each IP onto their own line (the commas only show up in that preview)... but it doesn't work either way and I'm pretty stumped at this point. I've been working on this off and on all week and I'm about ready to give up because this is supposed to be some easy 4 step process and I feel like a retard because I always botch up stuff with the server ugh

**Kryssan** · 2012-01-19 19:54

I can't say I've ever worked on SPF entries that included multiple domains, so I don't know how much help I'll be with that. However, one thing that did strike my curiosity - why are you using +all at the end? Wouldn't that default to all pass? Shouldn't it be -all or ~all (depending on what you're trying to accomplish)?

**Dizzy** · 2012-01-20 16:23

Originally Posted by Kryssan

I can't say I've ever worked on SPF entries that included multiple domains, so I don't know how much help I'll be with that. However, one thing that did strike my curiosity - why are you using +all at the end? Wouldn't that default to all pass? Shouldn't it be -all or ~all (depending on what you're trying to accomplish)?

Yeah sorry I didn't edit the OP but here's what I've cut my spf down to using Microsoft's wizard.

v=spf1 a ip4

server IP) ip4

business's static IP) a:constantcontact.com include:constantcontact.com mx:constantcontact.com -all

Both of the spf record checkers I linked above said there were no syntax errors with this version. I went to check the live version again today and it's still not working.

So basically what I need to do with this is allow Constant Contact to send emails on our behalf because we use them for mass emailings. I have a list of domains and IPs that they use below. Hope someone knows how to get this working.

http://constantcontact.custhelp.com/...ng/r_id/111930

Spoiler: show

**Teorem** · 2012-01-20 17:28

If the web tool isn't seeing the TXT record, then either the zone file still isn't being updated properly or the zone file may not be included in your domain's external view (if you have split views). I think I have a copy of Windows Server 2008 around here somewhere, I'll try to configure it with a DNS role...

**Dizzy** · 2012-01-23 14:51

I feel like a busta about this but I guess the solution was more obvious than expected. Turns out SPF record was supposed to go into our domain provider's DNS Manager (GoDaddy), not the servers. I got everything working now, thanks for sticking around for the help Teorem. Now to just get things cleared up with the ISPs that are blocking our email

Thread: Need help setting up a spf record

Thread Tools

Need help setting up a spf record

Similar Threads

Need help clearing up an audio file

Need help clearing up space on C: Drive pleaaase

Need help setting up Rivatuner =x

Setting up Windower Help

Latest Threads

Up & Coming Threads

Hottest Threads