There’s been a couple of times where I needed to re-route external email flow through another gateway for various reasons. The task itself is not very complicated if you understand how mail flow and domain look-ups work. However, regardless of the complexity, one small mistake and boom! We have an outage. In any company that I’ve worked at, email has always been a crucial aspect of every day communication and thus needs to be taken seriously.
I wanted to make this post to point out one important piece of the puzzle, that is, properly configured DNS Zones, more specifically, MX and SPF records. In order to receive email from the outside, we have to make sure we have the correct MX records in place, in fact, when we re-route mail flow, we need to update the MX records and point them to the new gateways. In some environments, the MX and SPF records could be hosted in the cloud and for other environments, the MX and SPF records could be hosted in a DNS zone located in the DMZ that is maintained by the organization. For obvious reasons, the DNS zone in the DMZ (Perimeter Network) needs to be able to respond to queries originating from the internet which is why it’s in the DMZ.
So why is an SPF record important? In any organization, implementation of SPAM filtering is very common, after all, no one wants their mailbox filled with unwanted email. Email spoofing is a common technique used in phishing attacks where the email looks like it’s coming from a legitimate source, but in fact it is not. If the user doesn’t thoroughly check the email, they won’t realize and thus fall pray to the attack. One way of battling email spoofing is by doing SPF record look-ups. By using an SPF record, the SPAM filter will perform an SPF look-up of the IP address of the originating email to see if it matches the valid domain, if it does, the email is accepted and passed on to the Exchange servers, if not, the email will be rejected. In other words, the SPF record defines which IP addresses (hosts) are allowed to send email from a given domain.
Here’s a diagram from Microsoft that depicts step by step process of email validation
When we re-route email to go through another gateway, the MX records change, and thus to the SPAM filter, it looks like a spoofing attack. So, a huge tip here, make sure to configure your SPF records prior to making any changes! Also, if you notice that external organization are bouncing your emails do to spoofing false positives, adding the SPF record could solve that problem.
There are a couple of tools you could use to validate such changes, for example, if you’re creating the SPF record, you should validate it and make sure you have the correct formatting, one little dot or a missing character will invalidate the record. Take a look at SPF Record Testing Tool. Also, MX Tool Box is a good tool to use to lookup the MX records and validate that all is properly configured.
Now, not all environments will require an SPF record, but it’s good to know what an SPF record is used for in case we have to troubleshoot issues in the future related to SPAM filtering.