SPF Records in Microsoft DNS
Question asked by Michael Graveen - January 22, 2015 at 10:02 PM
Unanswered
When I create a TXT record in Microsoft's DNS (2008 R2) that has an SPF string, are quotes required around the string?  Most of the SPF record creators have the quotes, but I tried a SPF checking tool at "mxtoolbox dot com" that failed to recognize the SPF record because of the quotes.  I removed the "" and it was recognized.
 
Thanks,
 
Mike

4 Replies

Reply to Thread
0
Hi Bruce,
Thanks for the reply.  If quotes aren't required in MS DNS, and not having them causes my SFP string to be recognized by some SPF validation tests, then I will remove the quotes.
 
Would you tell me if this SPF string looks correct?
v=spf1 mx ip4:173.160.113.129 a:ns.pixel8.com -all
All the domains on my mail server have their outgoing mail sent through IP address 173.160.113.129 (FQDN ns.pixel8.com).  It's the only IP and name that is authorized to send the mail (-all).  Does my SPF string need to any more elaborate than that?
 
SPF has always been a little confusing for me, so any help would be greatly appreciated.
 
Which DNS software do you recommend since MS is lacking with their product?
 
Best regards,
 
Mike
0
Here's the SPF record that I generated via the DNS create tool at www.DNSStuff.com
 
v=spf1 a mx ptr a:ns.ipixel8.com ip4:173.160.113.129 ~all
 
that should work without any issues.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
I manually created the record, so it should work. . The quotes, required by other DNS editors / server, are for entry into the DNS Server interface, and not transmitted across the network. Different DNS servers have different requirements, and it's easy to get confused. Make certain you have at least two, and they are property listed as the servers at your Domain registrar. You will also need to make certain they are on two sseparate, physical, networks, you designate one as the PRIMARY, and all others as SECONDARY, making your DNS changes only to the primary DNS. They primary will auto-update all secondaries. Good luck.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Thanks Bruce!
I still have a question on using -all vs ~all.  Isn't it better to use -all if I know for sure my outgoing mail is only coming from the single IP address?  I thought using ~all was (soft), or do I have that wrong?
 
Mike

Reply to Thread