How SBS 2008 Configures Your SPF Record

[Today's post comes to us courtesy of Wayne McIntyre]

As many are already aware, Microsoft and other industry leaders introduced sender ID filtering to assist in the combat against e-mail spam. Basically the concept of sender ID filtering is to verify that the host sending the email is authorized to send email for that domain. With sender ID filtering enabled, the receiving server will check the “mail from” domain’s SPF record to retrieve a list of valid senders for that domain. To learn more about the Sender Policy Framework please see the following document. https://www.microsoft.com/downloads/details.aspx?familyid=D8A174B1-697C-4AEA-9C92-2E70A013C30B&displaylang=en.

The “Setup Your Internet Address” wizard in SBS 2008 can configure your SPF record for you if you selected for SBS 2008 to manage your DNS records. An SPF record is a basic “TXT” record in DNS, which in SBS is configured as v=spf1 a mx ~all. Here is a breakdown of what each portion defines:

  • “v=spf1” defines the version of Sender Policy Framework being used.
  • “a” provides a verification mechanism that if the IP address of the sending machine matches any “a” records in DNS for that domain, that it is an authorized server.
  • “mx” provides a verification mechanism if the IP address matches one of the MX hosts for a domain name.
  • “~all” states that perform a SoftFail for all other IP addresses as they are not in the permitted set and their use is discouraged.

This is a sufficient configuration for most purposes; however, if you use a SmartHost the SPF record generated by SBS should not be used, as it will not contain the information for your SmartHost's sending servers.  You must manually create the SPF record with your DNS provider AND make one of the following changes to your SBS server.

A. Create the following registry key.  This registry key will configure SBS to bypass generation of the SPF record as part of it's DNS management.

HKLMSofwareMicrosoftSmallBusinessServerNetworkingServices
Name: SkipTXTConfig
Type: Dword
Value: 1

B. Use the IAMW to configure SBS to not manage your DNS records. Option A is the preferred option.

To create your own customized SPF record we recommend you use the SPF Record Wizard below which will ask you a series of questions then configure your SPF record based on your responses.

https://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/