Difference between revisions of "SPF fail"

From Roaring Penguin
Jump to: navigation, search
(Better explanation)
Line 1: Line 1:
The use of an organization's advertised SPF is a moderately effective
+
SPF or [http://openspf.org Sender Policy Framework] is a mechanism that
anti-spam technique. What it does is allow the recipient to check that
+
allows domain owners to declare which servers are authorized to send mail
an email sender is coming from a valid email server for the
+
claiming to be from that domain. SPF is designed to reduce the ability
organization's domain, i.e., checks if domain is being spoofed.  
+
of spammers to spoof the sending domain.
  
Unfortunately many organization have incorrectly or
+
Domain owners can specify various levels of SPF strictness:
incompletely configured SPF settings which cause inappropriate soft-fails or fails
 
when checked. The most useful way to resolve this is to inform the
 
organization so they can fix their SPF settings. Unfortunately, this
 
historically has only proven moderately successful.
 
  
In Canit you basically have two approach you can take to fix the
+
* "pass" means a machine is authorized to send mail on the domain's behalf.
problem.
+
* "neutral" means the domain owner takes no position on the matter.
 +
* "softfail" means the machine should not send mail on the domain's behalf.
 +
* "fail" means the machine MUST NOT send mail on the domain's behalf.
 +
 
 +
By default, CanIt '''ignores''' a sender whitelist or a domain whitelist
 +
if the SPF lookup returns "softfail" or "fail".
 +
 
 +
Unfortunately many organizations have incorrectly or incompletely
 +
configured SPF settings that cause inappropriate softfails or fails.
 +
The best way to resolve this is to inform the sending organization so
 +
its administrators can fix the SPF settings. This may
 +
not be successful, depending on how responsive the sending domain's
 +
administrators are.
 +
 
 +
Within CanIt, you can fix the problem in one of two ways:
  
 
If you go to Preferences->Quarantine Settings under the heading
 
If you go to Preferences->Quarantine Settings under the heading
"Sender/Recipient Settings" you will find settings S-910, S-915, S-920
+
"Sender/Recipient Settings", you will find settings S-910, S-915, S-920
 
and S-925 which deal with SPF. By default these are set to "Yes". You
 
and S-925 which deal with SPF. By default these are set to "Yes". You
can selectively set these to "No". This could be done in the user's
+
can selectively set these to "No". This could be done in a user's
stream if the problem is localized or the default stream of the realm
+
stream if the problem is localized or the "default" stream of the realm
 
if a general problem. Note that this will completely disable all SPF
 
if a general problem. Note that this will completely disable all SPF
 
checking within the scope of the setting.
 
checking within the scope of the setting.
  
The second option, which we would recommend if the problem is limited to
+
The second option, which we would recommend if the problem is limited
one domain or a small set of domains, would be to
+
to one domain or a small set of domains, is to define an SPF
define an SPF rule to lower the score given for soft-fails or fails
+
rule to lower the score given for softfails or fails for the
for the domain(s) in question. This is done by:
+
domain(s) in question. This is done by:
  
 
*- Go to Rules->SPF Rules,
 
*- Go to Rules->SPF Rules,
*- Enter the domain in the box and set the fail and softfail values to 0. (Since release 9.0.14 if you do this CanIt will actually honor the whitelist.)
+
*- Enter the domain in the box and set the fail and softfail values to 0.
 
*- Click Submit Change
 
*- Click Submit Change
  

Revision as of 16:01, 10 November 2014

SPF or Sender Policy Framework is a mechanism that allows domain owners to declare which servers are authorized to send mail claiming to be from that domain. SPF is designed to reduce the ability of spammers to spoof the sending domain.

Domain owners can specify various levels of SPF strictness:

  • "pass" means a machine is authorized to send mail on the domain's behalf.
  • "neutral" means the domain owner takes no position on the matter.
  • "softfail" means the machine should not send mail on the domain's behalf.
  • "fail" means the machine MUST NOT send mail on the domain's behalf.

By default, CanIt ignores a sender whitelist or a domain whitelist if the SPF lookup returns "softfail" or "fail".

Unfortunately many organizations have incorrectly or incompletely configured SPF settings that cause inappropriate softfails or fails. The best way to resolve this is to inform the sending organization so its administrators can fix the SPF settings. This may not be successful, depending on how responsive the sending domain's administrators are.

Within CanIt, you can fix the problem in one of two ways:

If you go to Preferences->Quarantine Settings under the heading "Sender/Recipient Settings", you will find settings S-910, S-915, S-920 and S-925 which deal with SPF. By default these are set to "Yes". You can selectively set these to "No". This could be done in a user's stream if the problem is localized or the "default" stream of the realm if a general problem. Note that this will completely disable all SPF checking within the scope of the setting.

The second option, which we would recommend if the problem is limited to one domain or a small set of domains, is to define an SPF rule to lower the score given for softfails or fails for the domain(s) in question. This is done by:

  • - Go to Rules->SPF Rules,
  • - Enter the domain in the box and set the fail and softfail values to 0.
  • - Click Submit Change

This can be done in either the user's or default stream, whichever is appropriate.