SPF entry Configuration, Setup, and Verification

About this article

For the Email Signature Server to work without interruptions, or email delivery issues, the SPF entry on the DSN records must be configured.

The correct SPF value must be added to the SPF entry of the DNS record of each domain used as a sender in the Exchange subscription.

• Templafy-hosted Certificate-based implementations (ESS versions >= 0.2.4.x)
• Templafy-hosted IP-based implementations (ESS versions < 0.2.4.x)
• Client-hosted IP-based implementations (all ESS versions)
• Validation
• Troubleshooting

Requirements

 If an email sent by a@domain.com goes through the mail flow rule, the domain needs the SPF record.

 If emails sent through a domain should never get a signature, then those should either be filtered out in the rule, or the SPF record has to be set on these domains as well.

 Always use inclusion rules for mail flow.

 When a new domain is added to the Exchange subscription it needs first get its SPF set before adding it to ESS mail flow rule inclusion list.

Templafy-hosted Certificate-based implementations (ESS versions >= 0.2.4.x)

The IP list is automatically handled and managed by the deployment. All IPs for a cluster are included in one DNS entry.

• Based on the region, add to the SPF entry of each email sending domain's DNS record.

   

  APAC/Australia based cluster:

  include:essaue0.templafy-ess.com

   

  EMEA/Europe based cluster:

  include:essprod0.templafy-ess.com

   

  NA/USA based cluster:

  include:essuse0.templafy-ess.com

Templafy-hosted IP-based implementations (ESS versions < 0.2.4.x)

• Add the public IP of the Load Balancer (outbound IP for the cluster) to the SPF entry of each sending domain's DNS record.

   

  To get the IP address of the related cluster, you can consult the Inbound connector from Exchange Admin center, otherwise, submit a support request.

   

Client-hosted IP-based implementations (all ESS versions)

Depending on the implementation, they can choose either their Load Balancer IP or DNS-based SPF records. To create a DNS-based record add a TXT record in your DNS zone.

   Name: any name that would help them identify the SPF entry. E.g. templafy
   Type: TXT
   TTL: 3600
   Value: v=spf1 ip4:123.456.7.89 ~all -> replace IP with the real one.

Validation

SPF validation is required. A good tool for validating it is https://www.spf-record.com/spf-lookup .

Troubleshooting

SPF entry max length.

The SPF should have at most 255 characters. For cases in which the length is exceeded, the entry needs to be split into multiple valid SPF strings. Reference: link 

"v=spf1 ip4:123.......... ... ip4:123... include:essprod0.templafy-emailsignatureserver.com" => 260 characters. 
Then, the SPF checkers will automatically split after 255 characters, resulting in:
"v=spf1 ip4:123.......... ... include:essprod0.templafy-emailsignatu" "reserver.com"
This would break the entry for our SPF record.

Correct approach:
"v=spf1 ip4:123.......... ... ip4:123..." " include:essprod0.templafy-emailsignatureserver.com" 240 characters + the rest
Split before the definition starts.

Too many lookups.

SPF can perform at most 10 recursive lookups. Even though our SPF entry requires only one, the SPF verification process might fail on another SPF entry. As the validation is done in the order they are written, we recommend always having the mail sending sensitive SPF records first: Templafy and Outlook.