Notifications

42634 views

Description

If your company prevents email from being delivered from unknown IP addresses or uses any services that filter spam based on IP address, you can configure those services using ServiceNow's Sender Policy Framework (SPF) records. ServiceNow provides SPF records to assist with anti-spoofing or spam detection. Please ensure that your corporate email infrastructure is configured to the industry standards that are described below. This ensures that email delivery from your ServiceNow instance to your corporate email service continues, uninterrupted. 

Sender Policy Framework is standardized under RFC4408; for more information, please visit the OpenSPF web site: http://www.openspf.org/FAQ or http://www.ietf.org/rfc/rfc4408.txt.

Resolution

ServiceNow strongly recommends that you configure your mail system to use SPF records dynamically, using your mail server's feature for automatically retrieving them. If ServiceNow moves your instance to another datacenter, your mail servers will still be able to receive emails from your instance.

Alternative Solution

If you are unable to configure your mail servers to dynamically use SPF records, then you must work with your Email or System Administrators to gather SPF record data manually using a series of dig terminal commands to build your whitelist. 

Skills required: 

  • Knowledge of SPF record format
  • Ability to use the dig command-line tool.
Warning: ServiceNow reserves the right to change its SPF records structure and the hosts or IPs returned. This may impact the commands you must run and your whitelist may fall out-of-date over time, causing email issues.

While these types of updates are generally infrequent, they can and do occur. You must implement a regular process - manual or automatic - to validate the SPF data you gather against your whitelist. Regularly update your whitelist to avoid possible email issues.

Example:

This example issues an initial dig command, and based on the structure of the response, issues further queries to locate hosts and IPs.

Warning: This is only an example of commands and returned values. Work with your System Email Administrator to run the initial query and similarly follow the SPF record data to gather IP addresses at the time you read this KB article.

Begin with the initial query of the service-now.com domain for TXT records:

dig service-now.com TXT +short

As of this KB article's writing, the command returned the following data, which includes an mx and three a: records:

"v=spf1 mx a:b.spf.service-now.com a:c.spf.service-now.com a:d.spf.service-now.com"

The bolded items in the response point to a group of mail servers each (based on servers location):

b.spf.service-now.com - Canada DCs
c.spf.service-now.com - US/Europe DCs
d.spf.service-now.com - all other DCs

The list of IP addresses of mail servers for the service-now.com domain is available in the DNS A records on each of the above-listed domains. So to list them using the dig command run:

dig A b.spf.service-now.com +short # Canada DCs
dig A c.spf.service-now.com +short # US/Europe DCs
dig A d.spf.service-now.com +short # all other DCs

Please use all three results in whitelisting regardless of where your instance is located. ServiceNow may reroute email traffic through any datacenter.

SPF Query Tool:

There are many tools for testing SPF records, for example, http://www.kitterman.com/spf/validate.html

Under the section 'Is this SPF record valid - syntactically correct?' you can test if your new SPF record is syntactically correct and also if it requires more than 10 DNS lookups (before you actually publish it to DNS). 

Secondary Alternative Solution

If you are unable to configure your mail servers to dynamically use SPF records and are unable to use the necessary tools to query the ServiceNow SPF records, you may use the following IPs to statically whitelist the ServiceNow mail server IP addresses. Please note that this is a static list and ServiceNow may add and/or remove IP addresses to this list in the future.

IP Whitelist by Region:

Canada datacenters

  • 149.96.5.2
  • 149.96.5.3
  • 149.96.5.6
  • 149.96.5.7
  • 149.96.6.2
  • 149.96.6.3
  • 149.96.6.6
  • 149.96.6.7
  • 199.91.136.28
  • 199.91.140.28

US/Europe datacenters:

  • 149.96.13.2
  • 149.96.14.2
  • 149.96.3.26
  • 149.96.4.26
  • 199.91.136.26
  • 199.91.136.28
  • 199.91.137.26
  • 199.91.140.26
  • 199.91.140.28
  • 37.98.232.12
  • 37.98.232.26
  • 37.98.234.2
  • 37.98.235.2

All other datacenters

  • 103.23.64.2
  • 103.23.65.2
  • 103.23.66.26
  • 103.23.67.26
  • 149.96.1.26
  • 149.96.132.2
  • 149.96.133.2
  • 149.96.194.2
  • 149.96.195.2
  • 149.96.2.26
  • 199.91.136.28
  • 199.91.140.28


Please use all lists in whitelisting regardless of where your instance is located. ServiceNow may reroute email traffic through any datacenter.

Article Information

Last Updated:2019-12-18 02:56:06
Published:2019-12-18