Sender ID DNS Record – Original Posted May 3, 2005

I finally ran into my first email failure because of Sender ID Frameword (SIDF) DNS records. I was wondering if anyone had implemented SIDF because I haven’t had any problems before. At least, I have not had problems that I was aware of at the time.

SIDF is a combination of Microsoft Caller ID and Sender Policy Framework (SPF). SIDF is implemented on both the sending and receiving sides of email. The sender is responsible for maintaining DNS records. The DNS records for SIDF are a txt type of record. The receiver side must have an email server that checks for SIDF records in DNS. Currently, I have no plans to configure my receiving email server for SIDF. I may change my mind later, though.

Basically, what happens is that when you send email to somebody that uses SIDF, it is not necessarily going to stop your email from going through, but it does increase the chances that it will be mis-identified as SPAM by considering SIDF in the confidence scoring of the email. I am guessing it is possible to configure SPAM rules to make a final decision on whether an SIDF record exists, but I doubt many people would implement it that way as it would lead to a very high number of false positives.

Microsoft sponsors a website to help you create the proper txt records for DNS to support email systems that you might send email to now and in the future. Go to: http://www.anti-spamtools.org/SenderIDEmailPolicyTool/Default.aspx and you can use the web wizard here to create the proper DNS record. The wizard uses a four step process.

  1. You enter your email domain name. For example, my email domain name is exchangemct.com, so I enter exchangemct.com and click the Start button.
  2. The wizard does a quick search of DNS and will try to find the host and MX records for your email server. You should verify it is correct and click Next.
  3. Step 3 provides for several decisions and entries:
    1. Check the box for Domain Not Used for Sending Email if you don’t send email using your domain name. Of course, why in the world would you be creating this DNS entry if you don’t need it.
    2. Inbound Mail Servers Send Outbound Mail – in this section you can check the box to configure your DNS records for a single domain name or you can manually enter multiple domain names.
    3. Outbound Mail Server Addresses – you can have the record be for a specific IP address or for all potential outbound server addresses. You can also manually configure multiple IP addresses.
    4. Reverse DNS Lookup – if your IP address PTR points to your actual domain, you can check the box here. In my case, it points to a different name so I have to enter the domain name in the box provided.
    5. Outsourced Domains – You can manually enter the information for an outsourced SMTP server if needed in this section.
    6. Default – This is where you set up the confidence level of your outgoing email. The choices are:
      •                                   Yes – It is possible that legitimate email may come from other servers
      •                                   No – Email should only come from the specified IP address(es)
      •                                   Neutral – the mail may or may not be legit.
      •                                   Discouraged – the mail may be legit if it comes from other servers, but it should come from the address(es) specified.
    1. Scope – You can select whether the receiver can use the IP address info, or the MAIL FROM header info, or both.
    2. Click Next when done entering the info.
  1. The last step gives you the entry that you can make in your DNS to support SIDF.

 Of course you can also do it manually using the Microsoft DNS management tools by selecting Other New Records and then selecting the text type and entering the line given by the wizard in step 4 or you can type it in manually.

To test it, you can use nslookup and set the type=txt for the domain name.

The result of my use of the tool gives me this txt entry:

v=spf1 mx ip4:69.3.78.174 ptr:covad.net mx:exchangemct.com mx:kaufmann.us –all

It seems to work well, as near as I can tell. As you can see, my two domains are exchangemct.com and kaufmann.us and the PRT will point to a covad.net IP address as I lease my IP from them. It is pretty slick stuff.

Updated 7/25/05: Thanks to Jim McBee, I found that you can use check-auth@verifier.port25.com to test your Sender ID record. The response will tell you the status of your record.

Advertisements
This entry was posted in Exchange. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s