SPF fail

From Roaring Penguin
Jump to: navigation, search

SPF or Sender Policy Framework is a mechanism that allows domain owners to declare which servers are authorized to send mail claiming to be from that domain. SPF is designed to reduce the ability of spammers to spoof the sending domain.

Domain owners can specify various levels of SPF strictness:

  • "pass" means a machine is authorized to send mail on the domain's behalf.
  • "neutral" means the domain owner takes no position on the matter.
  • "softfail" means the machine should not send mail on the domain's behalf.
  • "fail" means the machine MUST NOT send mail on the domain's behalf.

By default, CanIt ignores a sender whitelist or a domain whitelist if the SPF lookup returns "softfail" or "fail".

Unfortunately many organizations have incorrectly or incompletely configured SPF settings that cause inappropriate softfails or fails. The best way to resolve this is to inform the sending organization so its administrators can fix the SPF settings. This may not be successful, depending on how responsive the sending domain's administrators are.

You can have CanIt honor whitelists even in the face of SPF "fail" or "softfail" results in one of two ways:

1. Go to Preferences->Quarantine Settings under the heading "Sender/Recipient Settings" and adjust settings S-910, S-915, S-920 and S-925. By default these are set to "Yes". You can selectively set these to "No". This can be done in a user's stream if the problem is localized or the "default" stream of the realm if a general problem.

2. The recommended procedure if the problem is limited to one domain or a small set of domains is to define an SPF rule to zero out the score given for softfails or fails for the domain(s) in question. This is done as follows:

  • - Go to Rules->SPF Rules,
  • - Enter the domain name in the box and set the fail and softfail values to 0.
  • - Click Submit Change

This can be done in either the user's or default stream, whichever is appropriate. Zeroing out the fail and softfail scores causes CanIt to honor whitelists for the domain in question.

Alternatively, an SPF fail may be the only reason that the message is being caught in the first place. Instead of whitelisting, you could simply counteract the score assigned for that test with a Rules->Custom Rule. This could simply state:

 Domain of Envelope Sender is example.com
 Score -5

where example.com is the domain in question. This would negate the SPF score but still allow the rest of the test to run. This would allow CanIt to block spoofed messages by other means, if possible.

Adding additional clauses could even allow you to replicate a correct SPF record:

 (Domain of Envelope Sender Is example.com) AND (Sending Relay Address Is not x.x.x.x)...
 Score X

The last field can be repeated where x.x.x.x is the list of IP's that should be contained in the senders SPF record. Set the score to achieve your desired result.