SPF or Sender Policy Framework is a mechanism that allows domain owners to declare which servers are authorized to send mail claiming to be from that domain. SPF is designed to reduce the ability of spammers to spoof the sending domain.
Domain owners can specify various levels of SPF strictness:
- "pass" means a machine is authorized to send mail on the domain's behalf.
- "neutral" means the domain owner takes no position on the matter.
- "softfail" means the machine should not send mail on the domain's behalf.
- "fail" means the machine MUST NOT send mail on the domain's behalf.
By default, CanIt ignores a sender whitelist or a domain whitelist if the SPF lookup returns "softfail" or "fail".
Unfortunately many organizations have incorrectly or incompletely configured SPF settings that cause inappropriate softfails or fails. The best way to resolve this is to inform the sending organization so its administrators can fix the SPF settings. This may not be successful, depending on how responsive the sending domain's administrators are.
You can have CanIt honor whitelists even in the face of SPF "fail" or "softfail" results in one of two ways:
1. Go to Preferences->Quarantine Settings under the heading "Sender/Recipient Settings" and adjust settings S-910, S-915, S-920 and S-925. By default these are set to "Yes". You can selectively set these to "No". This can be done in a user's stream if the problem is localized or the "default" stream of the realm if a general problem.
2. The recommended procedure if the problem is limited to one domain or a small set of domains is to define an SPF rule to zero out the score given for softfails or fails for the domain(s) in question. This is done as follows:
- - Go to Rules->SPF Rules,
- - Enter the domain name in the box and set the fail and softfail values to 0.
- - Click Submit Change
This can be done in either the user's or default stream, whichever is appropriate. Zeroing out the fail and softfail scores causes CanIt to honor whitelists for the domain in question.