Managing SPF and reverse DNS in Exchange Server (Part 1)

If you would like to be notified of when Anderson Patricio releases the next part in this article series please sign up to our Real Time Article Update newsletter.


Exchange Server has been constantly improving itself throughout the years and nowadays the customers can chose between on-premises, cloud or hybrid environments and get the integration working in a matter of minutes using the built-in wizards which make our lives much easier. It does not matter which scenario you have implemented in your company, you still need to work on the SPF and reverse DNS, and in this first article of the series we will focus on the SPF record, starting with a simple introduction and then showing tools to check and configure in your environment.

SPF Records (Sender Policy Framework)…

The SPF (Sender Policy Framework) can be divided in two separate process. The first one is the administrator defining the SPF information on its Public DNS, which are the servers/partners that can send messages on behalf of its domain. The second part is on the side of the SMTP server that receives a message, which should check the SPF record of the receiver to make sure that the message that is being received is from an approved server/service and based on the results an action can be taken, such as receive the e-mail, discard the message or quarantine.

The SPF framework is widely used nowadays and probably you have configured that on your own environment. Microsoft has a wizard to help customers manage their SPF records and on the initial page of the wizard an image explaining how the SPF works (Figure 01).

Figure 01 (This image is courtesy of Microsoft)

If you run the SPF Record Wizard, the third step (Figure 02) will allow the administrator to select which servers/IP, default action and all sort of settings that can be added to a basic SPF configuration, and the result will be an SPF record that can be used on the Public DNS.

Figure 02

Checking SPF…

There are tons of sites to validate DNS records on the Internet, and the author’s preference is to use either the old school nslookup utility or the website

We are going to select a domain for the testing, in this article we are going to use and using we just need to enter and wait for the results (Figure 03). Based on the answer we know that only servers listed as MX records are the ones that can officially send e-mails from that domain.

The special character before the all string at the end of the SPF information tells us what the receiver SMTP server should do in case a message is received from a server that is not identified on the SPF record. Here is quick reference for each character:

  • -all my favourite, only the servers configured on the SPF are the ones that send messages
  • +all even if the server is not listed, the message may be legitimate
  • ~all that is a soft –all, because this message may be valid however it is discouraged by the domain
  • ?all neutral, there is no statement if the message is legitimate or not

Figure 03

If you prefer the old school nslookup utility, then the first step is to use a Public DNS resolver, and we are going to use the one from Google, which is the easiest to remember. Another good thing of using a Public DNS resolver is to avoid a split-brain DNS zone internally giving you the wrong information. Open nslookup on your workstation/server and enter these following commands.


After that, we need to filter the query just for TXT records.

Set type=txt

Then, type the domain name

Because the previous command provided the SPF and as part of the results was that all MX records for that domain are allowed to send messages, then our next logical step was to check which servers are the MX records. The entire list of commands used are shown in Figure 04.

Set type=mx

Figure 04

SPF records with multiple sites and/or vendors...

An SPF record is a TXT record and by definition, each string on the DNS should not have more than 255 characters, although we can create more than one string of 255 characters for the same entry, it will be almost impossible to convince your DNS provider and get that implemented. If you are in a situation where the size of the SPF record is getting close to 255 limits, then a solution is to use the include: clause to get around that limitation.

Using the scenario depicted in Figure 05, where we have several sites with an Exchange Server deployed, and this kind of scenario is common where the remote locations have limited bandwidth. It is also common for them to their own Internet links instead of MPLS/VPN to send messages to the Internet.

Besides of the pain of creating a reverse DNS for each one of the sites, the next logical step is to adjust the SPF record to make sure that all servers that send messages are properly defined in the SPF record.

Figure 05

The SPF record is flexible and we could summarize saying that any server that has an entry of type A on the Public DNS is allowed to send a message for example, and the SPF record could be as simple as v=spf1 a –all. In that scenario each site has an A record entry for their local OWA and the previous SPF suggestion would not be a big deal. However, this approach allows any server that has an A entry to send messages as your domain, and that may be a security issue (even though you still have the firewall to block servers of using 25 port which we are going to discuss later on in this series).

Some environments prefer to be more restrictive and allow only the Public IP of the Exchange Servers, and we can do that using the ip4: clause, it would be something like this: v=spf1 ip4: –all, and that is easy to deploy when you have a few sites.

The limit of 255 characters will impose a challenge to a larger environments where all Public IPs combined will surpass that limit. An option for this kind of scenario is to use the parameter include:<TXT-Record> and add the IPs on that entry (each new SPF will have the same limit of 255) but that increases your range significantly.

In the scenario above, we could create a TXT record for each continent for our company (in this case we are using as an example), something like, and and for each one of those entries we would add the SPF information

v=spf1 ip4:xx.xx.xx.xx ip4:yy.yy.yy.yy ip4:ww.ww.ww.ww ip4:zz.zz.zz.zz –all

Then, on the SPF record we would use, include to reference those previous TT record created:

V=spf1 –all

Looking at the forward lookup zone on the DNS, the results will be similar to figure 06.

Figure 06

If we use to retrieve the information, the first attempt running format will bring just the SPF, and the reason being is that all other TXT entries have a name associated to them (look at the host column on the previous picture). Then, in order to list the information from the other entries, we need to run as shown in Figure 07 (located in the block at the bottom).

Figure 07

Even if you do not have a larger environment the utilization of include: clause could be useful. Some companies ask third-party vendors to send surveys to their employees or customers and all messages sent from that company will have your company’s e-mail address.

To increase the success rate of getting the survey on the end-users mailboxes those third-party companies will ask you to change your SPF record to include their IP address, this way even though they are not sending messages from your mail servers, they want to represent you to the Internet. Using include: parameter we could create beforehand a new TXT record called and keep their IP address for the required time.


In this first article, we covered the basics of SPF and how to use some free tools (Microsoft SPF Wizard, nslookup and to validate the SPF configuration. We also checked how to use include: clauses to support environments with several servers.

If you would like to be notified of when Anderson Patricio releases the next part in this article series please sign up to our Real Time Article Update newsletter.

Anderson Patricio

Anderson Patricio is a Canadian MVP in Cloud and Datacenter Management, and Office Server and Services, besides of the Microsoft Award he also holds a Solutions Master (MCSM) in Exchange, CISSP and several other certifications. Anderson contributes to the Microsoft Community with articles, tutorials, blog posts, twitter, forums and book reviews. He is a regular contributor here at,, and Anderson (Portuguese).

Published by
Anderson Patricio

Recent Posts

Baidu apps expose data of Google Play Store customers

Two apps from Chinese tech giant Baidu that had been available in the Google Play…

5 hours ago

Shining a light on the dark shadow cast by shadow IT

Employees who don’t have the tools to get their jobs done sometimes turn to the…

10 hours ago

Microsoft 365 troubleshooting: Diagnostic tools at your fingertips

Many Exchange Server troubleshooting tools don’t work with Microsoft 365. Fortunately, Microsoft has a bunch…

3 days ago

LSU hospitals latest health system hit by cyberattack

The LSU hospital system has experienced a breach of patient data after a cyberattack as…

3 days ago

Business email compromise cybercrime group members busted

Business email compromise cyberattacks have been on the rise, and now some allegedly prominent players…

4 days ago

Making retail mobile e-commerce apps more secure

Many e-commerce mobile apps are insecure, opening the businesses that use them to severe risks.…

5 days ago