Adding an external mailserver with SPF record (Webhost mailserver) to use with website contact form

%3CLINGO-SUB%20id%3D%22lingo-sub-41472%22%20slang%3D%22en-US%22%3EAdding%20an%20external%20mailserver%20with%20SPF%20record%20(Webhost%20mailserver)%20to%20use%20with%20website%20contact%20form%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-41472%22%20slang%3D%22en-US%22%3E%3CP%3EDon't%20know%20if%20this%20is%20the%20correct%20place%20within%20the%20community%20to%20ask%20this%20question.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20I%20configure%20Office%20365%20and%20start%20migrating%20mailboxes%2C%20I%20check%20if%20my%20customer%20has%20a%20(wordpress)%20website%20that%20uses%20the%20plugin%20Contact%20Form%26nbsp%3B7%20(or%20any%20other%20mail%20plugin).%20They%20usually%20then%20use%20a%20SMTP%20plugin%20to%20email%20the%20contact%20forms.%20Almost%20always%20this%20plugin%20uses%20the%20mailserver%20that%20comes%20with%20the%20webhosting%20subscription.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20when%20I%20add%20the%20domain%20name%20to%20Office%20365%20and%20add%20the%20nessessary%20DNS%20records%2C%20of%20course%20this%20contact%20form%20does%20not%20deliver%20email%20anymore%20as%20it%20is%20uses%20a%20mailserver%20that%20is%20not%20authorized%20to%20send%20email%20from%20the%20domain.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20workaround%20is%20to%20use%20the%20SMTP%20server%20of%20Office%20365%2C%20where%20I%20sign%20in%20with%20a%20user%20account.%20Unfortunately%2C%20my%20customers%20do%20not%20have%20many%20Exchange%20licenses%2C%20so%20he%20user%20configured%20is%20one%20that%20also%20has%20access%20to%20business%20critical%20documents.%20So%20this%20is%20not%20ideal.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20think%20I%20can%20solve%20this%20by%20adding%20SPF%20records%20for%20the%20Webhost's%20mailserver.%20But%20is%20this%20the%20correct%20solution%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20an%20example.%20My%20own%20DNS%20record%20include%20this%20line%3A%3C%2FP%3E%3CP%3Ev%3Dspf1%20include%3Aspf.protection.outlook.com%20include%3Aservers.mcsv.net%20%3Fall%3C%2FP%3E%3CP%3EWhere%20servers.mcsv.net%20are%20the%20mailservers%20from%20Mailchimp.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20do%20I%20add%20the%20webhost's%20mailserver%20to%20this%2C%20so%20mail%20sent%20with%20Contact%20Form%207%20gets%20delivered%3F%3C%2FP%3E%3CP%3EJust%20by%20adding%20%22include%3Asmtp.myowndomain.com%20%3Fall%22%3F%3C%2FP%3E%3CP%3EOr%20do%20I%20need%20to%20do%20something%20with%20DKIM%20too%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-41472%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-41605%22%20slang%3D%22en-US%22%3ERe%3A%20Adding%20an%20external%20mailserver%20with%20SPF%20record%20(Webhost%20mailserver)%20to%20use%20with%20website%20contact%20f%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-41605%22%20slang%3D%22en-US%22%3E%3CP%3EWell%2C%20it%20doesn't%20work%20all%20the%20time.%20I%20get%20message%20email%20with%20this%20text%3A%3C%2FP%3E%3CP%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Calibri%22%3E%5BThis%20sender%20failed%20our%20fraud%20detection%20checks%20and%20may%20not%20be%20who%20they%20appear%20to%20be.%20Learn%20about%20spoofing%20at%20%3C%2FFONT%3E%3CA%20href%3D%22http%3A%2F%2Faka.ms%2FLearnAboutSpoofing%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CFONT%20color%3D%22%230563c1%22%20face%3D%22Calibri%22%3Ehttp%3A%2F%2Faka.ms%2FLearnAboutSpoofing%3C%2FFONT%3E%3C%2FA%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Calibri%22%3E%5D%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Calibri%22%3EAnd%20then%20the%20mail.%3CBR%20%2F%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Calibri%22%3ESo%2C%20I%20guess%20I%20have%20to%20do%20something%20more%20to%20make%20it%20always%20work.%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-41600%22%20slang%3D%22en-US%22%3ERe%3A%20Adding%20an%20external%20mailserver%20with%20SPF%20record%20(Webhost%20mailserver)%20to%20use%20with%20website%20contact%20f%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-41600%22%20slang%3D%22en-US%22%3E%3CP%3EWell%2C%20the%20include%20clause%20means%20%22get%20the%20SPF%20record%20from%20that%20domain%22%20and%20will%20only%20work%20if%20said%20domain%20has%20SPF%20published.%20If%20you%20want%20to%20add%20a%20hostname%20instead%20of%20IP%20to%20your%20record%2C%20use%20the%20A%20clause.%20For%20example%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ea%3Adomain.com%3C%2FP%3E%3CP%3Ea%3Adomain.com%2F24%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20if%20it%20work%20with%20include%20I%20guess%20they%20do%20publish%20SPF%20records%20on%20the%20domain%20and%20you%20should%20be%20fine.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-41527%22%20slang%3D%22en-US%22%3ERe%3A%20Adding%20an%20external%20mailserver%20with%20SPF%20record%20(Webhost%20mailserver)%20to%20use%20with%20website%20contact%20f%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-41527%22%20slang%3D%22en-US%22%3E%3CP%3ESo%2C%20I%20found%20out%20that%20using%20include%3Amail17.*MyWebhostDomain*.com%20also%20works.%20The%20mail%20didn't%20arrive%20in%20my%20Outlook%20mailbox%2C%20because%20my%20webhost's%20mailserver%20had%20a%20catch%20all%20mailadress%20configured%20(mail%40mydomainname.com)%20and%2C%20as%20it%20was%20ones%20the%20only%20mailserver%20(before%20I%20started%20with%20Office%20365)%20decided%20to%20put%20all%20the%20testmails%20in%20this%20catch%20all%20mailbox.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20solve%20this%20I%20configured%20bSMTP%20at%20my%20webhost%20and%20forward%20it%20to%20MySubscrionName%3CSPAN%3E.mail.protection.outlook.com.%20That%20seems%20to%20work%20when%20I%20configure%20the%20SPF.%20Without%20the%20SPF%20the%20mail%20doesn't%20get%20delivered%20in%20Outlook.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-41516%22%20slang%3D%22en-US%22%3ERe%3A%20Adding%20an%20external%20mailserver%20with%20SPF%20record%20(Webhost%20mailserver)%20to%20use%20with%20website%20contact%20f%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-41516%22%20slang%3D%22en-US%22%3E%3CP%3Ehi%20Vasil%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20posting%20my%20question%20here%2C%26nbsp%3B%20I%20read%20the%20technet%20article%20again%20that%20I%20found%20previously.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2F3aff33c5-1416-4867-a23b-e0c0c5b4d2be(v%3Dexchg.150%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2F3aff33c5-1416-4867-a23b-e0c0c5b4d2be(v%3Dexchg.150%3C%2FA%3E)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20mentioning%20the%20%3Fall.%20It%20is%20what%20Mailchimp%20writes%20in%20it's%20instruction.%20I%20changed%20it%20to%20-all%20and%20that%20is%20also%20accepted%20by%20the%20Mailchimp%20verification%20check%2C%20so%20guess%20it's%20ok.%20Didn't%20send%20any%20newsletters%20with%20mailchimp%2C%20so%20not%20100%25%20sure.%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20the%20reference%20to%20the%20mailserver%20has%20to%20be%20an%20ip%20address%3F%20So%20it%20cannot%20be%20an%20SMTP%20address%20that%20I%20could%20also%20use%20in%20any%20mailapp%3F%20In%20the%20instructions%20at%20my%20webhost%20they%20mention%20this%20instruction%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESMTP%20Server%3A%26nbsp%3Bmail17.*MyWebhostDomain*.com%3CBR%20%2F%3ESMTP%20Port%3A%26nbsp%3B225%26nbsp%3B%26nbsp%3B%26nbsp%3BSSL%2Fsecured%3A%20No%3CBR%20%2F%3Eor%3CBR%20%2F%3ESMTP%20Port%3A%20465%26nbsp%3B%26nbsp%3B%26nbsp%3BSSL%2Fsecured%3A%20Yes%20(SSL%2FTLS)%3CBR%20%2F%3EAuthentication%3A%26nbsp%3BYes%2C%20required%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20used%20these%20settings%20to%20configure%20the%20Wordpress%20SMTP%20add%20in.%20It%20tells%20me%20it%20succesfully%20mailed%20a%20test%20email%2C%20but%20it%20doesn't%20arrive%20in%20my%20Outlook%20mailbox%20in%20Office%20365.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%2C%20I%20changed%20the%20SPF%20in%20my%20DNS%20to%20the%20following%3A%3C%2FP%3E%3CP%3Ev%3Dspf1%20include%3Aspf.protection.outlook.com%26nbsp%3Binclude%3Aservers.mcsv.net%20include%3Amail17.*MyWebhostDomain*.com%20-all%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWaited%20an%20hour.%20Nothing%20arrives...%20Is%20there%20a%20place%20in%20Exchange%20I%20can%20see%20what%20is%20rejected%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-41501%22%20slang%3D%22en-US%22%3ERe%3A%20Adding%20an%20external%20mailserver%20with%20SPF%20record%20(Webhost%20mailserver)%20to%20use%20with%20website%20contact%20f%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-41501%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20simply%20use%20a%20service%20such%20as%20SendGrid%2C%20which%20is%20free%20for%20%22normal%20use%22.%20And%20it's%20sort%20of%20allowed%20to%20spoof%20you%20by%20default.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyway%2C%20you%20should%20*not*%20use%20%22%3Fall%22%2C%20in%20fact%20you%20should%20not%20use%20anything%20apart%20from%20%22-all%22%20once%20the%20SPF%20record%20is%20setup%20with%20all%20hosts.%20Multiple%20include%20clauses%20can%20also%20be%20tricky%20as%20they%20exhaust%20the%20DNS%20lookups%2C%20but%20in%20general%20you%20should%20be%20safe%20nowadays.%20In%20your%20case%20if%20it's%20a%20single%20SMTP%20server%20you%20can%20do%20something%20like%20this%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ev%3Dspf1%20include%3Aspf.protection.outlook.com%20include%3Aservers.mcsv.net%20ip4%3A1.2.3.4%20-all%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewhere%20you%20need%20to%20provide%20the%20ip%20address%20of%20the%20server.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Frequent Contributor

Don't know if this is the correct place within the community to ask this question.

 

When I configure Office 365 and start migrating mailboxes, I check if my customer has a (wordpress) website that uses the plugin Contact Form 7 (or any other mail plugin). They usually then use a SMTP plugin to email the contact forms. Almost always this plugin uses the mailserver that comes with the webhosting subscription.

 

Now when I add the domain name to Office 365 and add the nessessary DNS records, of course this contact form does not deliver email anymore as it is uses a mailserver that is not authorized to send email from the domain.

 

My workaround is to use the SMTP server of Office 365, where I sign in with a user account. Unfortunately, my customers do not have many Exchange licenses, so he user configured is one that also has access to business critical documents. So this is not ideal.

 

I think I can solve this by adding SPF records for the Webhost's mailserver. But is this the correct solution?

 

As an example. My own DNS record include this line:

v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net ?all

Where servers.mcsv.net are the mailservers from Mailchimp.

 

How do I add the webhost's mailserver to this, so mail sent with Contact Form 7 gets delivered?

Just by adding "include:smtp.myowndomain.com ?all"?

Or do I need to do something with DKIM too?

5 Replies
Highlighted

You can simply use a service such as SendGrid, which is free for "normal use". And it's sort of allowed to spoof you by default.

 

Anyway, you should *not* use "?all", in fact you should not use anything apart from "-all" once the SPF record is setup with all hosts. Multiple include clauses can also be tricky as they exhaust the DNS lookups, but in general you should be safe nowadays. In your case if it's a single SMTP server you can do something like this:

 

v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net ip4:1.2.3.4 -all

 

where you need to provide the ip address of the server.

Highlighted

hi Vasil,

 

After posting my question here,  I read the technet article again that I found previously.

https://technet.microsoft.com/en-us/library/3aff33c5-1416-4867-a23b-e0c0c5b4d2be(v=exchg.150)

 

Thanks for mentioning the ?all. It is what Mailchimp writes in it's instruction. I changed it to -all and that is also accepted by the Mailchimp verification check, so guess it's ok. Didn't send any newsletters with mailchimp, so not 100% sure. :)

 

Does the reference to the mailserver has to be an ip address? So it cannot be an SMTP address that I could also use in any mailapp? In the instructions at my webhost they mention this instruction:

 

SMTP Server: mail17.*MyWebhostDomain*.com
SMTP Port: 225   SSL/secured: No
or
SMTP Port: 465   SSL/secured: Yes (SSL/TLS)
Authentication: Yes, required

 

I used these settings to configure the Wordpress SMTP add in. It tells me it succesfully mailed a test email, but it doesn't arrive in my Outlook mailbox in Office 365.

 

So, I changed the SPF in my DNS to the following:

v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net include:mail17.*MyWebhostDomain*.com -all

 

Waited an hour. Nothing arrives... Is there a place in Exchange I can see what is rejected?

Highlighted

So, I found out that using include:mail17.*MyWebhostDomain*.com also works. The mail didn't arrive in my Outlook mailbox, because my webhost's mailserver had a catch all mailadress configured (mail@mydomainname.com) and, as it was ones the only mailserver (before I started with Office 365) decided to put all the testmails in this catch all mailbox.

 

To solve this I configured bSMTP at my webhost and forward it to MySubscrionName.mail.protection.outlook.com. That seems to work when I configure the SPF. Without the SPF the mail doesn't get delivered in Outlook.

Highlighted

Well, the include clause means "get the SPF record from that domain" and will only work if said domain has SPF published. If you want to add a hostname instead of IP to your record, use the A clause. For example:

 

a:domain.com

a:domain.com/24

 

But if it work with include I guess they do publish SPF records on the domain and you should be fine.

Highlighted

Well, it doesn't work all the time. I get message email with this text:

[This sender failed our fraud detection checks and may not be who they appear to be. Learn about spoofing at http://aka.ms/LearnAboutSpoofing]

And then the mail.

 

So, I guess I have to do something more to make it always work.