Difference between revisions of "SPF fail"

From Roaring Penguin
Jump to: navigation, search
(Better explanation)
m
Line 21: Line 21:
 
administrators are.
 
administrators are.
  
Within CanIt, you can fix the problem in one of two ways:
+
You can have CanIt honor whitelists even in the face of SPF
 +
"fail" or "softfail" results in one of two ways:
  
If you go to Preferences->Quarantine Settings under the heading
+
1. Go to Preferences->Quarantine Settings under the heading
"Sender/Recipient Settings", you will find settings S-910, S-915, S-920
+
"Sender/Recipient Settings" and adjust settings S-910, S-915, S-920
and S-925 which deal with SPF. By default these are set to "Yes". You
+
and S-925. By default these are set to "Yes". You can selectively set
can selectively set these to "No". This could be done in a user's
+
these to "No". This can be done in a user's stream if the problem is
stream if the problem is localized or the "default" stream of the realm
+
localized or the "default" stream of the realm if a general
if a general problem. Note that this will completely disable all SPF
+
problem.
checking within the scope of the setting.
 
  
The second option, which we would recommend if the problem is limited
+
2. The recommended procedure if the problem is limited to one domain
to one domain or a small set of domains, is to define an SPF
+
or a small set of domains is to define an SPF rule to lower the score
rule to lower the score given for softfails or fails for the
+
given for softfails or fails for the domain(s) in question. This is
domain(s) in question. This is done by:
+
done as follows:
  
 
*- Go to Rules->SPF Rules,
 
*- Go to Rules->SPF Rules,
*- Enter the domain in the box and set the fail and softfail values to 0.
+
*- Enter the domain name in the box and set the fail and softfail values to 0.
 
*- Click Submit Change
 
*- Click Submit Change
  

Revision as of 16:03, 10 November 2014

SPF or Sender Policy Framework is a mechanism that allows domain owners to declare which servers are authorized to send mail claiming to be from that domain. SPF is designed to reduce the ability of spammers to spoof the sending domain.

Domain owners can specify various levels of SPF strictness:

  • "pass" means a machine is authorized to send mail on the domain's behalf.
  • "neutral" means the domain owner takes no position on the matter.
  • "softfail" means the machine should not send mail on the domain's behalf.
  • "fail" means the machine MUST NOT send mail on the domain's behalf.

By default, CanIt ignores a sender whitelist or a domain whitelist if the SPF lookup returns "softfail" or "fail".

Unfortunately many organizations have incorrectly or incompletely configured SPF settings that cause inappropriate softfails or fails. The best way to resolve this is to inform the sending organization so its administrators can fix the SPF settings. This may not be successful, depending on how responsive the sending domain's administrators are.

You can have CanIt honor whitelists even in the face of SPF "fail" or "softfail" results in one of two ways:

1. Go to Preferences->Quarantine Settings under the heading "Sender/Recipient Settings" and adjust settings S-910, S-915, S-920 and S-925. By default these are set to "Yes". You can selectively set these to "No". This can be done in a user's stream if the problem is localized or the "default" stream of the realm if a general problem.

2. The recommended procedure if the problem is limited to one domain or a small set of domains is to define an SPF rule to lower the score given for softfails or fails for the domain(s) in question. This is done as follows:

  • - Go to Rules->SPF Rules,
  • - Enter the domain name in the box and set the fail and softfail values to 0.
  • - Click Submit Change

This can be done in either the user's or default stream, whichever is appropriate.