How to setup SPF, DMARC and DKIM for Exchange.

Since years there are some extra “settings” you can set to make sure your email does not get tagged as SPAM, as the other party can check if the email comes from a legitimate source.

There are some things you can do to make sure your email does not get tagged as SPAM:

  • Do not get blacklisted.
  • Make sure your server is not an open relay.
  • Setup an Sender Policy Framwork (SPF)
  • Setup a Domain-based Message Authentication, Reporting and Conformance (DMARC) policy
  • Setup DomainKeys Identified Email

 

In the coming blogs I will write about how to setup SPF, DKIM and DMARC for an exchange system.

serveimage

(SPF) Sender Policy Framework.

The Sender Policy Framework is published in 2006 by the IETF and made a standard in 2014. Originally called Sender Permitted From. The framework is setup to minimize the amount of spam coming in. In the SPF record you create you let the receiver end know from which ip-address or range of ip-adresses email sent by your organization can originate from. If the sending host is not in the SPF record, receiving mailservers can block the mail completely or mark it as spam.

An SPF record is setup in your DNS. It’s a TXT record.

There are lots of sites on the internet that test your spf record, lets have a look at our (Netflex.nl) SPF record:

v=spfl include: netblocks.mimecast.com include:spf.protection.outlook.com include:spf.exclaimer.net -all Prefix Type version include include include all Value s Pfl netblocks_mimecast.com Prefix Desc Pass Pass Pass Fail Description The SPF record version The specified domain is searched for an •alloW_ The specified domain is searched for an •alloW_ The specified domain is searched for an •alloW_ Always matches. It goes at the end of your record. (From http://mxtoolbox.com/spf.aspx)

The first part of the spf record indicates the version of SPF: spf1

Then there are some includes, these are the domains that are searched for an allow when an email is accepted by a foreign server. The last option is -all, ?all or ~all depending if the email should:

Pass (+all)

Fail (-all)

SoftFail (~all)

Neutral (?all)

Result

Explanation

Intended action

Pass

The SPF record designates the host to be allowed to send

accept

Fail

The SPF record has designated the host as NOT being allowed to send

reject

SoftFail

The SPF record has designated the host as NOT being allowed to send but is in transition

accept but mark

Neutral

The SPF record specifies explicitly that nothing can be said about validity

accept

None

The domain does not have an SPF record or the SPF record does not evaluate to a result

accept

Our spf record is pretty strict and fails every email that does not fall in any of the includes. If you set up a spf record for the first time and do not know if every domain is accounted for in the spf record, you can set the qualifier to a setting that is less strict.

One of the best ways to create a good spf record for your environment is to check which sites sent mail for your domain, and then use a spf calculator, like the one on www.spfwizard.net

When you have created a well-defined spf record, go to your hosting provider and create a TXT record on their server with the appropriate settings.

To test your spf record you can use:

http://www.kitterman.com/spf/validate.html

I will discuss DKIM in my next blog.

SharePoint

Do you need to enter your mail-address every time you go to Sharepoint? Not anymore!

When ADFS is deployed and users are browsing to sharepoint online without configuring auto-acceleration users are required to provide their username before the can enter their Sharepoint environment.

Continue Reading

powershell

Show Active Directory Group Membership

Sometimes it could be handy to save all members of an AD group to a text file.
This simple script will display all members of an Active Directory group on screen and mail the result to the logged in user (user@domain.com) if desired.

Continue Reading

powershell

Copy Active Directory user group membership

Sometimes when a new user is added to a team he or she needs all, or a selection of the Active Directory groups his colleagues are member of. Unfortunately, this can’t be done with the native Active Directory tools. To overcome this, I made a Powershell script to (selectively) copy Active Directory user group membership from one user to another.

Continue Reading

powershell

Monitor File Cluster Resources

When a (file) cluster resource failover occurred it is not always desirable to do an automatic failback (you probably would investigate the reason for the failover before performing a failback of the resources). Because of this I have created a Powershell script for use with file clusters to monitor file cluster resources, it works pretty much like the Powershell script I made for monitoring Exchange Database failovers (https://netflex.nl/exchange-database-activation-preference ).

The Powershell script monitors the preferred owner of a resource. In the event the Powershell script detects a resource is not running on the preferred owner, the Powershell script will send an email alert to a predefined recipient.

Continue Reading

windowsserver

Migrate DHCP from Windows Server 2008 R2 to Windows Server 2012 R2

This blog provides information on how to migrate your Windows Server 2008 or Windows Server 2008 R2 DHCP server to Windows Server 2012 R2.

First, to be on the save side, create a backup of the Windows Server 2008 (R2) DHCP configuration and save it to disk. Now the backup is in place inventory your DHCP relay configuration, you will need this information later.

Continue Reading

groupwise2014

Micro Focus has released GroupWise 2014 R2

This week Micro Focus has released its new version of GroupWise, GroupWise 2014 R2

This version of GroupWise which builds further on GroupWise 2014 setting, will support IMAP, CardDav and CalDav protocols.

The support for these protocols means that Mac users can now access GroupWise via their native Mac OS Mail, Calendaring and Addresbook software. Which is great, because there was no official Mac client available since GroupWise 7!

Continue Reading

domain-controller

Access is denied at domain controller login

Issue

Today I came across a weird issue. When logging on to a Domain Controller (2008 R2) I was presented an ‘Access is denied’ error. Weirdly enough this happened after the authentication took place.

There were no related events to be found in the event viewer. Looking at the domain controller policies and running tools like dcdiag/nltest (using psexec) didn’t provide any clues either.

Continue Reading

office365

Turn off ADFS for o365 when ADFS servers are not reachable.

When there is a problem with your ADFS server(s) or your internet connection, there is no authentication possible on ADFS. Users are not able to login to their mail, use Skype For Business or Sharepoint.

When this happens, it is good to know there is an easy way to turn federation off and on again in powershell without requiring a connection to the ADFS server.

Before you start, make sure you had password sync enabled on the AAD Connect server. If not, you will have to set a new password for every user after disabling federation. Continue Reading

oes15

Micro Focus has released Open Enterprise Server 2015, no Novell Client needed!

With the release of Open Enterprise Server 2015 by Micro Focus (formerly Novell inc), Micro Focus is giving customers more choice and flexibility through support for AD and increased storage capabilities. Continue Reading

Scroll to Top