Using the Sender Policy framework with Exchange SP2

Sender Policy Framework (SPF) is a type of DNS record created to help stop Spam. A lot of anti-spam filters include a filter to look for SPF records and if they are forged, block the messages. The easiest way to describe SPF is to call it a reverse MX record. If a spammer sends an email from xyz@domain.com and your mail server does a reverse DNS check and domain.com is a valid domain, it will accept the mail and deliver it to the recipient’s inbox. SPF aims to stop this by checking the MX records of domain.com and verifying that the email was sent from that server. Lets look at this a little closer.
When a valid user at domain.com sends an email, thelazyadmin.com accepts the message and pulls up the MX records and SPF record. If the IP address of the originating mail server is one of the mail servers IPs listed in domain.com MX records then the mail is delivered to the recipient’s inbox. Now, when an email is sent by a spammer that has forged the envelope address to look like it is coming from domain.com, the IP address of the originating mail server will not match the MX records and the message can be blocked or tagged as possible Spam, depending on your Spam filters configuration. So if I send an email, and the SPF check passes, you can be sure that the email is coming from my mail server.
Exchange 2003 SP2 enables SPF lookups with what Microsoft calls SenderID. Let’s first go over creating an SPF record, and then we will get into enabling this feature. To create an SPF record on a Windows DNS server is pretty easy, and if you run BIND, it’s just as easy. Open up the DNS Management MMC and drill down to your Forward Lookup Zone. Right-click and select Other New Records.


From the list of available resource record types, select Text (TXT) and then click Create Record.

>
Enter the following text into the Text field:
v=spf MX –all

Click Ok when you are done and the SPF record will be created.


Now you might be asking what the hell that means :) Well...
- v=spf identifies the record as a SPF record
- MX specifies that all MX records can send from this domain
- -all SPF queries that do not match will not fail, however depending on the recipients filtering rules, it may still get filtered.

The SPF project hosts a wizard that will help you create a SPF record and you can find it at http://www.openspf.org/wizard.html
Now, most admin’s I know don't use Windows DNS for their external records. I for one have my external DNS hosted with my domain registrar and they use BIND. If you are using BIND for your external DNS enter the following to create an SPF record.
domain.com. IN TXT "v=spf1 mx ~all"
Now with the SPF record created, enabling this in Exchange 2003 SP2 is a snap. Open up Exchange System Manager and drill down to Servers | ServerName | Protocols | SMTP and open up the properties page for Default SMTP Virtual Server. Next to the IP Address (or All Unassigned) box click on Advanced. Select the IP address and click Edit. On the Identification window, check the box next to Apply SenderID Filter.

Restart the SMTP Virtual Server and the SenderID Filter will become active.