2

I am a newbie at Exchange hybrid configuration. I am struggling when I try to find an answer for the situation below.

We have an Exchange Hybrid system and use Messagelab as the smart host for spam filtering. When checking the SPF configuration, I see a weird thing:

  • on Public DNS , SPF is configured as v=spf1 include:spf.messsagelab.com –all

  • On O365 -> Domain, SPF is configured as v=spf1 include:spf.protection.outlook.com –all

I suspect the configuration should be the same on both public DNS and O365. Am I right to say that?

Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
Khoa Trunh
  • 21
  • 1
  • 2

3 Answers3

1

SPF lists hosts that are allowed to send email from the domain. The public DNS of your domain should include all the servers and services you wish to use for sending email. For general information, please read How Office 365 uses Sender Policy Framework (SPF) to prevent spoofing

If you use Messagelab for outgoing email, you should have it listed in SPF on public DNS, i.e. include:spf.messsagelab.com. If all mail from Office 365 are supposed to go through Messagelab first, you don't need to have include:spf.protection.outlook.com.

In both cases it should be safe to have them both listed:

v=spf1 include:spf.messsagelab.com include:spf.protection.outlook.com –all

Please notice that the -all will cause SPF hard failure meaning it the messages can get rejected instead of just marked as spam, like SOFTFAIL would do, if you had ~all there instead.

If you only use Messagelab for incoming mail, you need to have spf.protection.outlook.com included. Then, you need to disable SPF checks on Office 365 (as it is already done on Messagelab)

  1. Office 365 Admin > Exchange admin center > protection > spam filter
  2. Edit Default > advanced optioins > Mark as Spam > SPF record: hard fail: Off

and/or whitelist Messagelab (as it will not be listed as permitted sender for the domain you are checking):

  1. Office 365 Admin > Exchange admin center > protection > connection filter
  2. Edit Default > connection filtering > IP Allow list
Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
0

On Office365 they are telling you what the SPF record should be - the only one that matters is what is on public DNS.

The answer depends on how you are routing your outbound email. If you have outbound email going from Office365 for all users then you need to change the record to be only the Microsoft SPF record. If you have everything going out via Message Labs only then leave things alone. If it is a mixture, depending on where the user is, then you will need both.

Sembee
  • 2,854
  • 1
  • 7
  • 11
  • how would he use both, please add to your answer. (the number of times I see perm fail due to duplicate txt records...) – Jacob Evans Apr 01 '17 at 18:53
  • You combine the information of the two records in to one as already demonstrated above. – Sembee Apr 02 '17 at 08:40
0

If both environments are allowed to send mail externally, you will need to modify your public SPF records to: v=spf1 include:spf.messagelabs.com include:spf.protection.outlook.com -all

cmdrgod
  • 11
  • 3