Connect Application: Implementing SPF for Outbound Email Delivery

Document created by user.oxriBaJeN4 Employee on Apr 14, 2016Last modified by user.oxriBaJeN4 Employee on Nov 9, 2016
Version 6Show Document
  • View in full screen mode

Applies To...

 

This page applies to new clients connecting with Mimecast using the Connect Application. If you are not using the Connect Application, click here.

 

Implementing SPF for Outbound Email Delivery

 

Sender Policy Framework (SPF) is an open standard for email authentication. It validates the connecting IP address, by looking up the SPF / TXT record in DNS for the domain in the envelope MAIL FROM or HELO/EHLO. By adding our _netblocks.mimecast.com entry to your SPF / TXT record, you ensure we are allowed to send mail for your domain name.

Mail Transfer Agents (MTAs) can verify SPF for inbound emails, if the sender publishes DNS entries for them in their domain records.

To ensure a successful implementation of SPF with Mimecast, include a comprehensive list of our outbound IP addresses in your DNS SPF record. This is a long list (24 distinct IP4 ranges at the time of writing) and new ranges may be added in the future without notice. However, you can ensure your record is always up to date by including the "_netblocks.mimecast.com" statement.

 

Some typical examples are suggested below as a starting point for constructing an appropriate record.

 

ScenarioDescriptionExample
Simple CaseRelaxed configuration for customers which only send external mail for a given domain via Mimecast."v=spf1 include:_netblocks.mimecast.com ~all"
Strict CaseFor customers wishing to implement a strict SPF reject for unmatched requests, we strongly recommend testing with the relaxed syntax first."v=spf1 include:_netblocks.mimecast.com –all"
Customers with an Existing SPF Record for a Given DomainIf you have an existing SPF record representing a range of possible senders, these examples show how you can include Mimecast as a legitimate sender.
Old"v=spf1 mx ~all"
New"v=spf1 mx include:_netblocks.mimecast.com ~all"
Old"v=spf1 ip4:192.0.2.0/24 ip4:198.51.100.123 a -all"
New"v=spf1 ip4:192.0.2.0/24 ip4:198.51.100.123 a include:_netblocks.mimecast.com -all"
Customers with an Existing SPF Include Record for a Given DomainIn all cases, customers with existing SPF records should review their entries to ensure Mimecast servers are referenced exactly once. Any previous Mimecast references should be removed in favour of _netblocks.mimecast.com. Customers using a domain include mechanism to refer to a DNS entry which already references _netblocks.mimecast.com, need take no further action.
Old"v=spf1 ?include:example.com -all"
New"v=spf1 ?include:example.com include:_netblocks.mimecast.com -all"

 

Creating the DNS Entry

 

If you wish to implement SPF for your domain, you'll need to create a corresponding TXT DNS record. To check your existing TXT / SPF records, use an available DNS query service. There are many tools for this available on the internet, as well command line applications.

By adding our IP Ranges to your SPF/TXT record, you ensure Mimecast is regarded as allowed to send mail carrying your domain name.

Attachments

    Outcomes