Difference between revisions of "SPF fail"

From Roaring Penguin
Jump to: navigation, search
 
(5 intermediate revisions by 3 users not shown)
Line 1: Line 1:
The use of an organization's advertised SPF is a moderately effective
+
SPF or [http://openspf.org Sender Policy Framework] is a mechanism that
anti-spam technique. What it does is allow the recipient to check that
+
allows domain owners to declare which servers are authorized to send mail
an email sender is coming from a valid email server for the
+
claiming to be from that domain. SPF is designed to reduce the ability
organization's domain, i.e., checks if domain is being spoofed.  
+
of spammers to spoof the sending domain.
  
Unfortunately many organization have incorrectly configured or
+
Domain owners can specify various levels of SPF strictness:
incomplete SPF settings which cause inappropriate soft-fails or fails
 
when checked. The most useful way to resolve this is to inform the
 
organization so they can fix their SPF settings. Unfortunately, this
 
historically has only proven moderately successful.
 
  
In Canit you basically have two approach you can take to fix the
+
* "pass" means a machine is authorized to send mail on the domain's behalf.
 +
* "neutral" means the domain owner takes no position on the matter.
 +
* "softfail" means the machine should not send mail on the domain's behalf.
 +
* "fail" means the machine MUST NOT send mail on the domain's behalf.
 +
 
 +
By default, CanIt '''ignores''' an Always-Allow rule set for a sender or a
 +
domain if the SPF lookup returns "softfail" or "fail" because it appears
 +
that someone is spoofing the domain.
 +
 
 +
Unfortunately many organizations have incorrectly or incompletely
 +
configured SPF settings that cause inappropriate softfails or fails.
 +
The best way to resolve this is to inform the sending organization so
 +
its administrators can fix the SPF settings. This may
 +
not be successful, depending on how responsive the sending domain's
 +
administrators are.
 +
 
 +
You can have CanIt honor whitelists even in the face of SPF
 +
"fail" or "softfail" results in one of two ways:
 +
 
 +
1. Go to Preferences->Quarantine Settings under the heading
 +
"Sender/Recipient Settings" and adjust settings S-910, S-915, S-920
 +
and S-925. By default these are set to "Yes". You can selectively set
 +
these to "No". This can be done in a user's stream if the problem is
 +
localized or the "default" stream of the realm if a general
 
problem.
 
problem.
  
If you go to Preferences->Quarantine Settings under the heading
+
2. The recommended procedure if the problem is limited to one domain
"Sender/Recipient Settings" you will find settings S-910, S-915, S-920
+
or a small set of domains is to define an SPF rule to zero out the score
and S-925 which deal with SPF. By default these are set to "Yes". You
+
given for softfails or fails for the domain(s) in question. This is
can selectively set these to "No". This could be done in the user's
+
done as follows:
stream if the problem is localized or the default stream of the realm
 
if a general problem. Note that this will completely disable all SPF
 
checking within the scope of the setting.
 
 
 
The second option, which we would recommend if the problem is limited to
 
one domain or a small set of domains, would be to
 
define an SPF rule to lower the score given for soft-fails or fails
 
for the domain(s) in question. This is done by:
 
  
 
*- Go to Rules->SPF Rules,
 
*- Go to Rules->SPF Rules,
*- Enter the domain in the box and set the fail and softfail values to 0. (Since release 9.0.14 if you do this CanIt will actually honor the whitelist.)
+
*- Enter the domain name in the box and set the fail and softfail values to 0.
 
*- Click Submit Change
 
*- Click Submit Change
  
 
This can be done in either the user's or default stream, whichever is
 
This can be done in either the user's or default stream, whichever is
appropriate.
+
appropriate. Zeroing out the fail and softfail scores causes CanIt to honor whitelists for the domain in question.
 +
 
 +
Alternatively, an SPF fail may be the only reason that the message
 +
is being caught in the first place. Instead of whitelisting, you could simply counteract the
 +
score assigned for that test with a Rules->Custom Rule. This could simply
 +
state:
 +
 
 +
  Domain of Envelope Sender is example.com
 +
  Score -5
 +
 
 +
where example.com is the domain in question. This would negate the SPF score but still allow the rest of the test to run.
 +
This would allow CanIt to block spoofed messages by other means, if possible.
 +
 
 +
Adding additional clauses could even allow you to replicate a correct SPF record:
 +
 
 +
  (Domain of Envelope Sender Is example.com) AND (Sending Relay Address Is not x.x.x.x)...
 +
  Score X
 +
 
 +
The last field can be repeated where x.x.x.x is the list of IP's that should be contained in the senders SPF record. Set the score to achieve your [[Thresholds|desired result]].
 +
 
 
<div style="float:right; clear:both; margin-right:0.5em">[[Support Wiki | [Home]]]</div>
 
<div style="float:right; clear:both; margin-right:0.5em">[[Support Wiki | [Home]]]</div>
 
[[category:All]][[category:Troubleshooting]][[category:Rules]]
 
[[category:All]][[category:Troubleshooting]][[category:Rules]]

Latest revision as of 10:22, 9 January 2018

SPF or Sender Policy Framework is a mechanism that allows domain owners to declare which servers are authorized to send mail claiming to be from that domain. SPF is designed to reduce the ability of spammers to spoof the sending domain.

Domain owners can specify various levels of SPF strictness:

  • "pass" means a machine is authorized to send mail on the domain's behalf.
  • "neutral" means the domain owner takes no position on the matter.
  • "softfail" means the machine should not send mail on the domain's behalf.
  • "fail" means the machine MUST NOT send mail on the domain's behalf.

By default, CanIt ignores an Always-Allow rule set for a sender or a domain if the SPF lookup returns "softfail" or "fail" because it appears that someone is spoofing the domain.

Unfortunately many organizations have incorrectly or incompletely configured SPF settings that cause inappropriate softfails or fails. The best way to resolve this is to inform the sending organization so its administrators can fix the SPF settings. This may not be successful, depending on how responsive the sending domain's administrators are.

You can have CanIt honor whitelists even in the face of SPF "fail" or "softfail" results in one of two ways:

1. Go to Preferences->Quarantine Settings under the heading "Sender/Recipient Settings" and adjust settings S-910, S-915, S-920 and S-925. By default these are set to "Yes". You can selectively set these to "No". This can be done in a user's stream if the problem is localized or the "default" stream of the realm if a general problem.

2. The recommended procedure if the problem is limited to one domain or a small set of domains is to define an SPF rule to zero out the score given for softfails or fails for the domain(s) in question. This is done as follows:

  • - Go to Rules->SPF Rules,
  • - Enter the domain name in the box and set the fail and softfail values to 0.
  • - Click Submit Change

This can be done in either the user's or default stream, whichever is appropriate. Zeroing out the fail and softfail scores causes CanIt to honor whitelists for the domain in question.

Alternatively, an SPF fail may be the only reason that the message is being caught in the first place. Instead of whitelisting, you could simply counteract the score assigned for that test with a Rules->Custom Rule. This could simply state:

 Domain of Envelope Sender is example.com
 Score -5

where example.com is the domain in question. This would negate the SPF score but still allow the rest of the test to run. This would allow CanIt to block spoofed messages by other means, if possible.

Adding additional clauses could even allow you to replicate a correct SPF record:

 (Domain of Envelope Sender Is example.com) AND (Sending Relay Address Is not x.x.x.x)...
 Score X

The last field can be repeated where x.x.x.x is the list of IP's that should be contained in the senders SPF record. Set the score to achieve your desired result.