Enabling email delivery using Sender Policy Framework (SPF) records to allow SN mail serversDescriptionIf your company prevents email from being delivered from unknown IP addresses or uses any services that filter spam based on IP address, you can configure those services using ServiceNow's Sender Policy Framework (SPF) records. ServiceNow provides SPF records to assist with anti-spoofing or spam detection. Please ensure that your corporate email infrastructure is configured to the industry standards that are described below. This ensures that email delivery from your ServiceNow instance to your corporate email service continues, uninterrupted. Sender Policy Framework is standardized under RFC4408; for more information visit the OpenSPF websites:http://www.openspf.org/FAQhttp://www.ietf.org/rfc/rfc4408.txt The IPs for ServiceNow email servers are used only if the instance is using the ServiceNow provided SMTP account for outbound emails. If the instance is using custom SMTP instead, then it will be using the node IPs listed under "Source address used for integrations into customer network with NO VPN":IP address information - Access and Integration Note that while 99.9% of all outbound emails from an instance will use the email servers from that region (i.e. EMEA instances will use c.spf), and ServiceNow email servers back each other up. This means that if there are any capacity/connection issues in one Data Center, emails will be routed through another DC (i.e. EMEA instances will temporarily use b.spf or d.spf). This will be done without any internal or public notice, and there is no way to disable this for a single instance/customer. Customers are advised to allow-list all three SPF records. IPs may get removed or added frequently to the allow-list. If needed to inspect the list, use the dig command and use the results: dig b.spf.service-now.com dig c.spf.service-now.com dig d.spf.service-now.com In case administrators do not have access to the dig command because they are on Windows, the URL http://mxtoolbox.com/spf.aspx can provide the same output as: dig <domain> TXT +short.ResolutionServiceNow strongly recommends to configure your mail systems to use SPF records dynamically, using your mail server's feature for automatically retrieving them. If ServiceNow moves your instance to another data center, your mail servers will still be able to receive emails from your instance. If you run into any issues in regards to the length of your SPF TXT record please check: https://repost.aws/knowledge-center/route-53-configure-long-spf-txt-records for a resuloution. Alternative Solution If you are unable to configure your mail servers to dynamically use SPF records, then you must work with your Email or System Administrators to gather SPF record data manually using a series of dig terminal commands to build your Allow List. Skills required: Knowledge of SPF record formatdig or similar DNS tool. Warning: ServiceNow reserves the right to change its SPF records structure and the hosts or IPs returned. This may impact the commands you must run and your Allow List may fall out-of-date over time, causing email issues. While these types of updates are generally infrequent, they can and do occur. You must implement a regular process - manual or automatic - to validate the SPF data you gather against your Allow List. Regularly update your Allow List to avoid possible email issues. Example: This example issues an initial dig command, and based on the structure of the response, issues further queries to locate hosts and IPs. Warning: This is only an example of commands and returned values. Work with your System Email Administrator to run the initial query and similarly follow the SPF record data to gather IP addresses at the time you read this KB article. Current SPF Record Begin with the initial query of the service-now.com domain for TXT records: dig service-now.com TXT +short As of this KB article's writing, the command returned the following data, which includes three a: records: "v=spf1 a:b.spf.service-now.com a:c.spf.service-now.com a:d.spf.service-now.com" The bolded items in the response point to a group of mail servers each (based on servers location): b.spf.service-now.com - Canada DCsc.spf.service-now.com - US/Europe DCsd.spf.service-now.com - all other DCs The list of IP addresses of mail servers for the service-now.com domain is available in the DNS A records on each of the above-listed domains. So to list them using the dig command run: dig A b.spf.service-now.com +short # Canada DCsdig A c.spf.service-now.com +short # US/Europe DCsdig A d.spf.service-now.com +short # all other DCsPlease use all three results in your Allow List regardless of where your instance is located. ServiceNow may reroute email traffic through any datacenter. SPF Query Tool: There are many tools for testing SPF records, for example, http://www.kitterman.com/spf/validate.html Under the section 'Is this SPF record valid - syntactically correct?' you can test if your new SPF record is syntactically correct and also if it requires more than 10 DNS lookups (before you actually publish it to DNS). Secondary Alternative Solution If you are unable to configure your mail servers to dynamically use SPF records and are unable to use the necessary tools to query the ServiceNow SPF records, please run the following DNS queries and use the resultant IPs to statically define the ServiceNow mail server IP addresses in your Allow List. Please note that ServiceNow may add and/or remove IP addresses to these records at any time in the future. To get the most updated IP address list, please use the dig command run: dig A b.spf.service-now.com +short # Canada DCsdig A c.spf.service-now.com +short # US/Europe DCsdig A d.spf.service-now.com +short # all other DCs *Please use all IPs from the three records in your allow list regardless of where your instance is located. ServiceNow may reroute email traffic through any datacenter to maintain availability. Special Case - For Hybrid Singapore Customers ONLY: Instances in Hybrid Singapore should have their outbound SMTP accounts set with the from domain @sg.service-now.com NOT @service-now.com There is a separate SPF record for sg.service-now.com: "v=spf1 a:spf.sg.service-now.com -all" NOTE: This is different from service-now.com SPF record $ host spf.sg.service-now.com spf.sg.service-now.com has address 149.96.220.3 spf.sg.service-now.com has address 149.96.221.3 If these IP addresses change, the change will be reflected in the SPF record, but a change in IPs is unlikely. NOTE: If still using old SPF records after the change has been made on the data center, ServiceNow does not take any responsibility.