Just wanted to share my expierence in getting into the world of SPF and altsrchost to help prevent someone else from hitting the potholes I did and to ask a question.

Situation:

We just recently deployed a TXT record on our public DNS to begin the setup of making our e-mail pass SPF verification.  Originally I was told to setup a TXT record for a different project.   Not knowing anything about SPF we set it up.   Long story short, it was a SPF1 entry and caused some SMTP servers to reject our e-mail because our IronPort appliances were not included in the entry.  To begin troubleshooting it I added MX to the SPF1 entry and did some testing of the entry and all was well, so I thought.   Turns out our IronPort appliances are using all public interfaces to deliver e-mail for this domain.  No problem, I had read about the altsrchost functionality and thought that it was perfect for setting IronPort to route e-mail from this domain only using the interfaces that are also setup as MX.    Wrong, once I set altsrchost to say only use these two public interfaces our IronPort appliances could not deliver e-mail that is sent from that domain from other internal systems back to our internal messaging system, because I just told it to only use these two public interfaces.  So, I cleared out the altsrchost and mail flow was fixed.  I did have a few hundred e-mails stuck in the queue that would not deliver because they were trying to still use that public interface (stuck in a queue or something).   I did get that cleaned up by just bouncing the e-mail, could not figure out a way to get it to not want to use only a public interface.

Question:

How can I get IronPort to only use specified interfaces to deliver e-mail on the public side but still allow it to use the private interfaces to deliver e-mail to our internal messaging system when it needs to?  The altsrchost command appears to only allow me to specify one interface.

We have two C660s running in a cluster.

Jason Meyer