Allowing email delivery from ServiceNow to your mail servers

Overview

If your company prevents email from being delivered from unknown IP addresses, or uses any services that filter spam based on IP address, you can configure those services using ServiceNow's Sender Policy Framework (SPF) records. ServiceNow provides SPF records to assist with anti-spoofing or spam detection. Please ensure that your corporate email infrastructure is configured to the industry standards that are described below. This ensures that email delivery from your ServiceNow instance to your corporate email service continues, uninterrupted. 

Sender Policy Framework is standardized under RFC4408; for more information, please visit the OpenSPF web site: http://www.openspf.org/FAQ or http://www.ietf.org/rfc/rfc4408.txt.

Recommended Solution

ServiceNow strongly recommends that you configure your mail system to use SPF records dynamically, using your mail server's feature for automatically retrieving them. If ServiceNow moves your instance to another datacenter, your mail servers will still be able to receive emails from your instance.

Alternative Solution

If you are unable to configure your mail servers to dynamically use SPF records for some reason, then you must work with your Email or System Administrators to gather SPF record data manually using a series of dig terminal commands to build your whitelist. 

Skills required: 

- Knowledge of SPF record format

- Ability to use the dig command line tool.

WARNING: 

ServiceNow reserves the right to change its SPF records structure. This may impact the commands you must run.

ServiceNow reserves the right to change the hosts or IPs returned. Your whitelist may therefore fall out-of-date over time, causing an email issue.

While these types of updates are generally infrequent, they can and do occur. You must implement a regular process - manual or automatic - to validate the SPF data you gather against your whitelist. Regularly update your whitelist to avoid a possible mail issue.

Example:

This example issues an initial dig command, and based on the structure of the response, issues further queries to locate hosts and IPs.

WARNING:

This is only an example of commands and returned values. Work with your System Email Administrator to run the initial query and similarly follow the SPF record data to gather IP addresses at the time you read this KB article.

Begin with the initial query of the service-now.com domain for TXT records:

dig service-now.com TXT +short

As of this KB article's writing, the command returned the following data, which includes mx and three a: records:

    "v=spf1 mx a:b.spf.service-now.com a:c.spf.service-now.com a:d.spf.service-now.com"

The bolded items in the response point to a group of mail servers each (based on servers location):

    b.spf.service-now.com - Canada DCs

    c.spf.service-now.com - US/Europe DCs

    d.spf.service-now.com - all ohter DCs

SPF Query Tool:

There are a lot of tools for testing SPF records.

On this one:

http://www.kitterman.com/spf/validate.html

under the section 'Is this SPF record valid - syntactically correct?' you can test if your new SPF record is syntactically correct and also if it requires more than 10 DNS lookups (before you actually publish it to DNS).