In this post we'll look at a hot topic which is how do you block email sent from your own domain but not by your email server - i.e. email from someone spoofing your email domain. This will work for Exchange 2010, 2013 and 2016.
We’ll also block spoofed email for other domains.
How to block spoofed email from your domain
We’ll go through these steps:
- Create an SPF record for your domain configured with a HardFail
- Configure the InternalSMTPServers property on your transport servers
- Install the Anti-Spam agents on Exchange
- Configure SenderID filtering to reject emails that fail SPF checks
- Test SenderID Agent
Create an SPF record for your domain configured with a HardFail
An SPF record is a TXT record in DNS that begins with v=spf1. It includes a list of IPs that sending domain owner has specified as permitted to send email for that domain and it also informs the recipient mail server what to do if an email is received from an IP that is not on the permitted senders list.
Create an SPF record for your domain by following the instructions here. Make sure set your SPF record to prohibit all sending IPs that are not specified by using the -all mechanism at the end of the SPF record.
Your SPF record should look something like this:
v=spf1 ip4:220.127.116.11 ip4:18.104.22.168 ip4:22.214.171.124/28 mx -all
This simple SPF record states that the MX records and the additional IPs that are listed are allowed to send email for your domain.
Note the -all mechanism at the end of the record. This is important as you will see later when we come to configuring the SenderID Agent on Exchange.
If you are using split DNS then you need to ensure that you configure your SPF record on both your external DNS forward lookup zone and your internal DNS forward lookup zone.
Configure the InternalSMTPServers property on your transport servers
For SenderID filtering, Exchange looks at the client IP for email when working out whether the sending IP is permitted or not. In order for Exchange to differentiate between the IPs of other Exchange servers (or email gateways/smart hosts) and the actual client IP, you need to let Exchange know which IPs to ignore.
For example, if your have two Exchange servers with IPs 10.2.0.21 and 10.2.0.22 and an email gateway on 10.3.0.10 then set your transport configuration using this command on each Exchange server:
Set-TransportConfig -InternalSMTPServers 10.2.0.21,10.2.0.22,10.3.0.10
Install the Anti-Spam agents on Exchange
Our next step is to install the Anti-Spam agents on Exchange if you have not already installed them. If you run list transport agents, you will see which are installed:
In the above screenshot, there are no anti-spam transport agents listed because they’re not installed. We should expect to see new transport agents such as Sender Filter Agent and Sender Id Agent.
To go ahead and install the Anti-Spam agents, run the command below on your mailbox server in Exchange 2013 or 2016 or your hub transport server in Exchange 2010:
Then restart the Microsoft Exchange Transport Service:
Now we can confirm that we have additional Transport Agents:
Configure SenderID filtering to reject emails that fail SPF checks
Our next and final step is to configure Exchange to reject email that fails the SenderID check (SPF) by using the SenderID Transport Agent which we’ve just installed. Emails that are SPF HardFails fail this SPF check.
When installed, the SenderID agent is enabled but set to only stamp the status of the SPF record check in the message headers which means it doesn't reject any email. It’s also only enabled for external email by default.
For our purposes, we will configure it to reject spoofed domains. This will not only reject spoofed email for our email domain but it will also reject spoofed email for any other domain that has a valid SPF record configured with a HardFail. This is why the hard fail is important as Exchange and many other mail systems will generally not block a soft fail (but see part 2 how to do this in Exchange).
Let’s go ahead and configure the SenderID agent to block spoofed emails:
Set-SenderIdConfig -SpoofedDomainAction Reject
Some domains have not got their SPF records configured correctly and are recommending an SPF hard fail but are actually sending some email from IPs not included on the SPF record. To do get around this, you can set these domains to bypass the SenderID checks:
Set-SenderIdConfig -BypassedSenderDomains contoso.com,tailspintoys.com
Test SenderID Agent
Now, we can demonstrate that this is blocking spoofed email for our domain. First, let’s test using the Send-MailMessage cmdlet in PowerShell running from a computer on the internet which has an IP which is not listed on the SPF record:
Send-MailMessage -To email@example.com -From firstname.lastname@example.org -Subject "Testing email server SenderID Filter" -SmtpServer mx1.litwareinc.com
For more information about how to send email using PowerShell, see here. The error we get is:
The server response was: 5.7.1 Sender ID (PRA) Not Permitted
…….and the email was rejected! Great! Now spoofed email from your domain is blocked and spoofed email from other domains is blocked if they have an SPF record configured with a hard fail.
In this post, I’ve demonstrated how to configure Exchange 2010, 2013 or 2016 to reject spoofed email for your domain and other domains. This is done by blocking SPF HardFails.
In part 2, I'll demonstrate how to block emails that are from domains that are not configured with an SPF HardFail but as SoftFail instead.