Export (0) Print
Expand All

Configuring DNS, MX, and SPF Records and Settings

 

Topic Last Modified: 2013-05-09

The information in this topic will help you determine how best to manage your DNS, MX, and SPF records and settings while configuring and using the Forefront Online Protection for Exchange (FOPE) service.

When you subscribe to the FOPE service, the recommended method for validating your domain is to add a TXT record to the domain within your domain’s DNS records, or in your ISP domain’s settings. If you add the TXT record to your ISP domain’s settings, note that your DNS provider will still need to handle the creation and modification of your DNS records.

A TXT, or text, record consists of an arbitrary text string that can be attached to a DNS node. This node can have multiple TXT records.

The FOPE service cannot be activated for any domain until after it is validated. The primary method of domain validation is by adding a TXT record for each domain. During the setup process, you will add a TXT record to your domain when validating the domain in the FOPE Administration Center. For instructions on validating and enabling your domain, see Validate and Enable Domains.

The three primary records used for email are Mail Exchanger (MX) records, Pointer (PTR) records, and Sender Policy Framework (TXT) records.

The MX record tells mail systems how to handle mail that is addressed to a particular domain. It tells the sending mail server where to send the mail. To ensure that your FOPE service works well, your MX record should point to mail.messaging.microsoft.com, not to an IP address. This will ensure that mail sent to your domain is relayed to FOPE for filtering.

If your organization has multiple domains for which you receive email, you will need to change the MX record for each domain for which you want the FOPE service to filter mail.

noteNote:
MX record updates can also be used as an alternate method of validating your domain if TXT records are not available for your domain; for more information about this process, see Validate and Enable Domains.

A PTR (Pointer Record) is a record that is used for Reverse DNS. It is the opposite of an A record and is used in Reverse Map zone files to map an IP address (IPv4 or IPv6) to a host name. When you send email to a location it receives your IP address and checks your PTR record to verify that the IP address equals your domain.

Sender Policy Framework is a record that is used to help prevent email spoofing. It allows you to specify all of the IP addresses that you would send mail from in one simple TXT record, and to tell the receiving server to only allow the outbound servers you listed.

The following is an example of a TXT record, with definitions for each portion of it.

 

Format of TXT: “v=spf1 mx ip4:{any server you may also send from IP} include:spf.messaging.microsoft.com ~all”

V=spf1

This is the version of SPF that is being used.

MX

This indicates that you are sending also from everything listed on your MX record.

IP4

This is for any server IP address that you also allow for (not needed for FOPE servers if you included the FOPE SPF record and send only through FOPE).

Include

This parameter includes additional records to allow sending for your domain.

all

all has three switches that it can use:

  1. -: Do not accept any mail from anyone other than listed above; hard-fail.
  2. ~: Do not accept any email that does not come from one of the above; allow but soft-fail the email.
  3. ?: Indicates that there are more servers that may be sending from our domain.

A normal TXT for a client who sends only through FOPE might look like the following example: "v=spf1 include:spf.messaging.microsoft.com ip4:192.168.254.254 -all"

noteNote:
In most cases, we recommend having both the include: and ip4: portions of the SPF record to facilitate mail delivery to your partners and other FOPE customers.

For more information about how SPF records work with the FOPE service and to view additional SPF record examples, see the section titled SPF Record Settings in Best Practices for Configuring FOPE,

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft