SPF Records in Microsoft DNS

Question asked by Michael Graveen - 1/22/2015 at 10:02 PM

Unanswered

When I create a TXT record in Microsoft's DNS (2008 R2) that has an SPF string, are quotes required around the string? Most of the SPF record creators have the quotes, but I tried a SPF checking tool at "mxtoolbox dot com" that failed to recognize the SPF record because of the quotes. I removed the "" and it was recognized.

Thanks,

Mike

7 Replies

Reply to Thread

Bruce Barnes Replied

1/23/2015 at 4:35 AM

MS DNS does not require quotes. It also doesn't support the new "SPF" record type, yet, only supporting SPF TXT records.

Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting

Michael Graveen Replied

1/23/2015 at 4:29 PM

Hi Bruce,

Thanks for the reply. If quotes aren't required in MS DNS, and not having them causes my SFP string to be recognized by some SPF validation tests, then I will remove the quotes.

Would you tell me if this SPF string looks correct?

v=spf1 mx ip4:173.160.113.129 a:ns.pixel8.com -all

All the domains on my mail server have their outgoing mail sent through IP address 173.160.113.129 (FQDN ns.pixel8.com). It's the only IP and name that is authorized to send the mail (-all). Does my SPF string need to any more elaborate than that?

SPF has always been a little confusing for me, so any help would be greatly appreciated.

Which DNS software do you recommend since MS is lacking with their product?

Best regards,

Mike

Bruce Barnes Replied

1/23/2015 at 7:33 PM

Here's the SPF record that I generated via the DNS create tool at www.DNSStuff.com

v=spf1 a mx ptr a:ns.ipixel8.com ip4:173.160.113.129 ~all

that should work without any issues.

Michael Graveen Replied

1/24/2015 at 7:58 AM

Thanks Bruce! You have an extra "i" in front of pixel8 in the string. I'm confused on when I should be using "-all" vs "~all". I thought I was supposed to use the "-all" because ONLY ns.pixel8.com would be sending this out going mail. Mike

Bruce Barnes Replied

1/24/2015 at 6:13 PM

I manually created the record, so it should work. . The quotes, required by other DNS editors / server, are for entry into the DNS Server interface, and not transmitted across the network. Different DNS servers have different requirements, and it's easy to get confused. Make certain you have at least two, and they are property listed as the servers at your Domain registrar. You will also need to make certain they are on two sseparate, physical, networks, you designate one as the PRIMARY, and all others as SECONDARY, making your DNS changes only to the primary DNS. They primary will auto-update all secondaries. Good luck.

Michael Graveen Replied

1/24/2015 at 8:42 PM

Thanks Bruce!

I still have a question on using -all vs ~all. Isn't it better to use -all if I know for sure my outgoing mail is only coming from the single IP address? I thought using ~all was (soft), or do I have that wrong?

Mike

Sterling Kendrick Replied

1/26/2015 at 8:09 AM

Mike you are correct. See here: http://www.openspf.org/SPF_Record_Syntax

Back to Community Threads

Please leave this box unchecked

7 Replies

Reply to Thread

Tags

Related Knowledge Base Articles