Sender Policy Framework (SPF) is an open standard used to identify forged sender addresses in email messages. Specifically it protects the domain found in the SMTP envelope sender address, or return path. It does this by checking the domain's DNS record for an SPF policy to find out exactly which mail hosts are permitted to send messages on the domain's behalf. If the domain has an SPF policy and the sending host is not listed in that policy, then you can know that the address if forged.
For more on SPF, visit: www.open-spf.org
Configuration
Verify sending host using SPF
By default, SecurityGateway will check the sending domain's DNS record to see if the sending host has the authority to send email on its behalf. This uses the domain found in the MAIL value passed during SMTP processing. Clear this checkbox if you do not wish to use SPF processing.
When SPF processing returns a HARD FAIL result:
The following action will be taken when SPF processing of a message results in a HARD FAIL.
...refuse the message
By default messages receiving a HARD FAIL will be refused during the SMTP process.
...quarantine the message
Choose this option if you wish to quarantine messages that receive a HARD FAIL.
...accept the message
If you wish to accept messages that receive a HARD FAIL, choose this option. You can then insert some text into the message's subject and modify its Message Score.
...tag the subject with [ text ]
When you have configured SecurityGateway to accept a message that receives a HARD FAIL result, enable this option and specify some text if you wish to add something to the beginning of the message's Subject header. If enabled, the default text added to the subject is: "*** FRAUD ***". With this option you could leave it to the recipient's mail server or client to filter the message based on the tag. This option is disabled by default.
There are a number of other places within SecurityGateway where you can optionally add text to the Subject header. For example, the DKIM Verification and Message Scoring pages also have this option. When the designated text in these options matches, the tag will only be added to a message's subject once even if that message meets the criteria under each option. If, however, the text differs between the options, then each unique tag will be added. For example, the default text in this option is "*** FRAUD ***" but the default text in Message Scoring is "*** SPAM ***". Because the two tags are different, both would be added to messages matching the criteria of both options. But, if you changed the text in one of the options to be identical to the other one, then the tag would be added only once. |
...add [xx] points to message score
By default, when you have configured SecurityGateway to accept a message that receives a HARD FAIL result, this value is added to its Message Score. If the final score is high enough then that could cause the message to be quarantined or refused, depending on your Message Scoring settings. The default value for this option is 5.0.
When SPF processing returns a SOFT FAIL result:
The following action will be taken when SPF processing of a message results in a SOFT FAIL.
...refuse the message
Click this option if want messages receiving a SOFT FAIL to be refused during the SMTP process.
...quarantine the message
Choose this option if you wish to quarantine messages that receive a SOFT FAIL.
...accept the message
By default, messages that receive a SOFT FAIL will be accepted, but you can then insert some text into the message's subject and modify its Message Score.
...tag the subject with [ text ]
When SecurityGateway is configured to accept a message that receives a SOFT FAIL result, enable this option and specify some text if you wish to add something to the beginning of the message's Subject header. If enabled, the default text added to the subject is: "*** FRAUD ***". With this option you could leave it to the recipient's mail server or client to filter the message based on the tag. This option is disabled by default.
...add [xx] points to message score
By default, when you have configured SecurityGateway to accept a message that receives a SOFT FAIL result, this value is added to its Message Score. If the final score is high enough then that could cause the message to be quarantined or refused, depending on your Message Scoring settings. The default value for this option is 2.0.
When SPF processing returns a PASS result:
...add [xx] points to message score
Click this option if you wish to adjust the Message Score when SPF processing of a message results in a PASS. This should be a negative number so the the score will be reduced, thus giving it a beneficial adjustment.
Exclusions
Exclude messages from allowlisted IP addresses
Click this checkbox if you wish to exclude the sender from SPF processing when its IP address appears on the Global IP allowlist. This option is disabled by default.
Exclude messages from authenticated sessions
When the incoming message is using an authenticated session it will be excluded from the SPF processing requirement by default. Clear this option if you wish to use SPF processing even when the SMTP session was authenticated.
Exclude messages from domain mail servers
Messages coming from one of your domain mail servers will be exempt from SPF processing by default. Clear this checkbox if you do not wish to exclude domain mail servers from SPF requirements.
Advanced
Insert 'Received-SPF' header into messages
By default a "Received-SPF" header is inserted into each message, containing the SPF results for the message. Clear this checkbox if you do not wish to insert this header.
...except when the SPF result is 'none'
By default, no "Received-SPF" header is inserted when the result of an SPF lookup is "none." Uncheck this option if you wish to insert the header even if no SPF data is found for the sender's domain.
Exceptions - Domains
If you select a specific domain in the "For Domain:" drop-down list box at the top of the page when configuring these settings, that domain will be listed here after saving the settings. Click the View/Edit link for the corresponding domain to review or edit its SPF settings, or click Reset to reset the domain's settings to the default Global values.