Email Migration Support Migrating to Office 365

Office 365 Migration Project and the SPF Record

by |Published

Introduction

There are many items to consider if you are planning an email migration project to Office 365.   Irrespective of the legacy platform (eg: Domino, GroupWise, Exchange On-Premise).   One of these items is the SPF (Sender Policy Framework) Record.

This article describes:

  • What the SPF Record is
  • Why it is so important for your Office 365 migration project
  • The risks in making mistakes related to it.

The intention is to not try and further the technical articles covering SPF. Feel free to take a look at these in-depth articles for reference:

http://www.openspf.org/ , and, http://technet.microsoft.com/en-us/library/dn789058(v=exchg.150).aspx

What is an SPF Record – Simple Explanation

The SPF Record is a single public DNS entry in your email domain name zone file It helps prevent any unauthorised email being sent as your email domain name.    This is done by the receiving internet ISP mail servers doing a DNS lookup to see if an SPF Record exists in your DNS. And that the host sending the mail is authorised to send that email.

Things to note:

  • If there is no SPF Record, the mail is let through
  • If there is an SPF Record and the sending host is listed, the mail is let through.
  • If there is an SPF Record and the sending host is not listed, the mail may be blocked, or tagged

SPF Records are not mandatory, and it is surprising how many organisations do not have them.  For example, without a SPF Record a malicious entity would be able to generate emails purporting to be from your email system.   This could be from  sales@acmetrucks.com   to all your customers.

I recommend all organisations should have a valid SPF Record – they cost nothing, and provide a valuable line of defence against misuse of your email domain name.

Do I have an SPF Record ?

Anyone can check if you have an SPF Record.

You can go to this website:  http://www.kitterman.com/spf/validate.html

And in the “domain name” field, enter the right hand part of your email address:

SPF Record example for Office 365 migration

 

 

 

Then select “Get SPF Record (if any)”

SPF Record lookup results for office 365 migration project

 

 

 

acmetrucks.com  does not have a SPF Record in place, which is not recommended.

 If you repeat the check above, using my domain name,  emailmigrations.com   , then you see this result:

Valid SPF Record example

 

 

 

This is good news, I have a valid SPF Record.

If you are a CIO, and having done this check, find that you have no SPF Record, then I would be questioning your IT Manager very closely.  I am more than happy to help with those questions.   My question would be:  “Why is an SPF Record not in place, when it is an industry standard, takes an hour to implement, it is free, and it protects our email domain name from misuse?”

SPF importance for your  Office 365 Migration Project

Earlier in this article I said that SPF Records are not mandatory.   If you wish to use Office 365 for your email system then a SPF Record is mandatory !   You cannot direct your email MX Record to Office 365 without a SPF record being in place, at least listing the Office 365 mail host as an entry.

When I consult on an Office 365 email migration project, and ask the customer to give me a list of all the hosts that send mail using their domain name (eg: Unix servers, mass-mailers) they normally go very quiet!

If a customer does not have a SPF Record today, it is easy enough to add the basic SPF Record required to support Office 365.   Here it is:

v=spf1 include:spf.protection.outlook.com -all

However, as soon as this is added, any other host that was sending emails (legitimately) for the email domain will have its emails blocked by internet ISP DNS servers – as they are not listed in the SPF Record for that email domain.

For the scenario whereby you have an existing SPF Record, then you need to amend it to contain the required Office 365 entry. Otherwise you will not be able to send emails from Office 365.

Typical SPF Related Issues

If your users begin to report issues sending mails, with error messages similar to:

550 5.7.1 Sender ID/SPF failed

550 5.7.1 Message rejected because SPF checked failed

Then you likely have an SPF Record in place, but for some reason it is not valid.  This will cause outbound emails to be rejected by the recipients ISP.

 Office 365 Recommendation for SPF Record

My recommendation is to get any SPF Record changes implemented two weeks before any actual migration to Office 365.

Putting in a new SPF Record, or changing an existing SPF Record, is a major organisational change in itself.  It has the potential to stop emails being delivered, impacting your business.   You need time to ensure you have a valid “Office 365-compatible” SPF Record that covers all your valid mail hosts, and Office 365, well in advance of your email migration.

This is a pre-migration task that can be ticked off before the actual Office 365 migration takes place.   You do not want the risk of some outbound emails being blocked at the very time you are moving users to Office 365.    You may run a complex environment, whereby putting in place an SPF Record turns into a mini project.

We can help you with your SPF Record, and your Office 365 migration project, via our expert email consulting services.

 

 

 

 

 

You may also like

Exchange 2013 CU9 & Migration Notes
Published

Exchange 2013 CU9 & Migration Notes

Exchange 2013 CU9 Due Exchange 2013 CU9 is due out next quarter. Apart from a Microsoft promised Shared Mailbox feature around recording […]

Migration Planning
Published

Migration Planning

Migration planning for the email migration project is critically important and you will need a detailed project plan to work against.   That […]

Leave a comment

Your email address will not be published. Required fields are marked *