active-directorydomain-name-systeminternal-dns
I have an Active Directory Server for a domain (let's say, domain.com) that is also a public domain with public DNS records (let's say, using GoDaddy's DNS).
How would I set it up so that if a specific record is not present in the local DNS (e.g. mail.domain.com) it would then look it up in the public DNS? I have already setup DNS Forwarders, but that doesn't seem to affect this scenario.
You need to have separate SPF records for each subdomain you wish to send mail from.
The following was originally posted on openspf.org, which used to be a great resource for this kind of thing.
Latest link http://www.open-spf.org/FAQ/The_demon_question/
The Demon Question: What about subdomains?
If I get mail from pielovers.demon.co.uk, and there's no SPF data for pielovers, should I go back one level and test SPF for demon.co.uk? No. Each subdomain at Demon is a different customer, and each customer might have their own policy. It wouldn't make sense for Demon's policy to apply to all its customers by default; if Demon wants to do that, it can set up SPF records for each subdomain.
So the advice to SPF publishers is this: you should add an SPF record for each subdomain or hostname that has an A or MX record.
Sites with wildcard A or MX records should also have a wildcard SPF record, of the form: * IN TXT "v=spf1 -all"
This makes sense - a subdomain may very well be in a different geographical location and have a very different SPF definition.
The 'include:' directive for SPF may be used to provide all subdomains with the same entries. For example, on the SPF record for subdomain mailfrom.example.com enter 'include:example.com'. In this fashion whenever you update the definition for example.com your subdomains will automatically pick up the updated values.
Don't add a primary zone on your Windows DNS server for example.com. If you do that, it will consider itself authoritative for any record within that namespace, so it will never ask the outside world for answers.
Instead, add a primary zone for dev.code.example.com. In that zone you create an A record '*' with the IP you want to use. Don't try to create a PTR, it won't work.
Best Answer
AFAIK, it isn't possible. If the AD DNS server is authoritative for the zone then it's... authoritative for the zone. It isn't going to forward queries that resolve to NXDOMAIN to another DNS server.