The CreatorCon Call for Content is officially open! Get started here.

Whitelisting ServiceNow email IPs

stevekeiper
Kilo Contributor

‎02-01-2018 07:47 AM

We have a client that may need to whitelist ServiceNow's email IPs.   I have found articles regarding whitelisting by SPF but if that is not an option for them, is there a way for us to get a list of the IP addresses that ServiceNow sends email from so that we can forward along to this client?   thanks.

Labels:
0 Helpfuls
  • 4,937 Views
3 REPLIES 3

HarshTimes
Tera Guru

‎02-01-2018 07:57 AM

HI Steve


You can get the IP list from your servicenow HI Account.


1. Open the Hi Account and switch to legacy view


2. In the application navigation search, search for the IP information.


You will get the IP address list of your instance. See the screenshot


find_real_file.png


Preview file
30 KB

stevekeiper
Kilo Contributor
In response to HarshTimes

‎02-01-2018 08:05 AM

Harshtimes, thanks for the response.   I think this is information for the IPs of our instance(s), that is true.   However, as I understand it, ServiceNow sends emails out from its own Exchange/email instance, which is independent of the IPs used in a specific client instance, such as ours, yours etc.   Does ServiceNow publish the IPs that they send out their email notifications from?


0 Helpfuls

Aditya Telideva
ServiceNow Employee
ServiceNow Employee

‎02-01-2018 08:06 AM

hi steve,


If your company prevents email from being delivered from unknown IP addresses, or uses any services that filter spam based on IP address, you can configure those services using ServiceNow's Sender Policy Framework (SPF) records. ServiceNow provides SPF records to assist with anti-spoofing or spam detection. Please ensure that your corporate email infrastructure is configured to the industry standards that are described below. This ensures that email delivery from your ServiceNow instance to your corporate email service continues, uninterrupted.


Sender Policy Framework is standardized under RFC4408; for more information, please visit the OpenSPF web site: http://www.openspf.org/FAQ or http://www.ietf.org/rfc/rfc4408.txt.



Recommended Solution

ServiceNow strongly recommends that you configure your mail system to use SPF records dynamically, using your mail server's feature for automatically retrieving them. If ServiceNow moves your instance to another datacenter, your mail servers will still be able to receive emails from your instance.



Alternative Solution

If you are unable to configure your mail servers to dynamically use SPF records for some reason, then you must work with your Email or System Administrators to gather SPF record data manually using a series of dig terminal commands to build your whitelist.


Skills required:


- Knowledge of SPF record format


- Ability to use the dig command line tool.


WARNING:


ServiceNow reserves the right to change its SPF records structure. This may impact the commands you must run.


ServiceNow reserves the right to change the hosts or IPs returned. Your whitelist may therefore fall out-of-date over time, causing an email issue.


While these types of updates are generally infrequent, they can and do occur. You must implement a regular process - manual or automatic - to validate the SPF data you gather against your whitelist. Regularly update your whitelist to avoid a possible mail issue.



Example:


This example issues an initial dig command, and based on the structure of the response, issues further queries to locate hosts and IPs.


WARNING:


This is only an example of commands and returned values. Work with your System Email Administrator to run the initial query and similarly follow the SPF record data to gather IP addresses at the time you read this KB article.


Begin with the initial query of the service-now.com domain for TXT records:


dig service-now.com TXT +short


As of this KB article's writing, the command returned the following data, which includes mx and three a: records:


      "v=spf1 mx a:b.spf.service-now.com a:c.spf.service-now.com a:d.spf.service-now.com"


The bolded items in the response point to a group of mail servers each (based on servers location):


      b.spf.service-now.com - Canada DCs


      c.spf.service-now.com - US/Europe DCs


      d.spf.service-now.com - all ohter DCs



SPF Query Tool:


There are a lot of tools for testing SPF records.


On this one:


http://www.kitterman.com/spf/validate.html


under the section 'Is this SPF record valid - syntactically correct?' you can test if your new SPF record is syntactically correct and also if it requires more than 10 DNS lookups (before you actually publish it to DNS).


Thanks,


Aditya Telidevara


PS: Please do mark as helpful, if you have found so:)