497

Configuring SPF lookup options in SecurityGateway

This article explains how to configure SecurityGateway to check the SPF record, if one exists, on the sending domain of incoming messages to verify whether the connecting IP address is a valid sender for that domain, and help prevent the acceptance of spam messages that use forged domains.

 From the Dashboard, after signing in:

  1. Click on Security, in the lower-left corner
  2. Locate the Anti-Spoofing section 
  3. Click on SPF

From there, you may configure the following options globally or by domain by clicking the 'For Domain' drop down on the upper right:

  • Verify sending host using SPF

    SecurityGateway will do a query on the SPF record on the domain listed in the MAIL FROM command given during the incoming SMTP session to check to see if the sending agent is listed as a valid sender of email from that domain. By default, this is enabled.

  • When SPF processing returns a HARD FAIL result

    If SecurityGateway does a SPF record check and determines that the purported sending domain's policy does not allow the current sending agent to send email from its domain, SecurityGateway can refuse the message completely, quarantine it for later study, or accept it for delivery. By default, SecurityPlus refuses delivery of mail that HARD FAILS an SPF check on the domain.

  • ... tag subject with <>

    If a message is accepted for delivery or quarantined, you may add custom text, by default '*** FRAUD ***' to the subject. By default, this is disabled.

  • ... add x points to message score.

    If a message is accepted for delivery or quarantined, you may add the specified number of points, by default 5.0, to the score of the message. By default, this is enabled.

  • When SPF processing returns a SOFT FAIL result

    If SecurityGateway does a SPF record check and determines that the purported sending domain's policy does not explicitly allow sending from the current sending agent, but it could be valid, SecurityGateway can do the same as above: refuse to accept the message, quarantine it, or accept it for delivery. By default, SecurityGateway accepts these messages for delivery.

  • ... tag subject with <>

    If a message is accepted for delivery or quarantined, you may add the specified text, by default '*** FRAUD ***' to the subject. By default, this is disabled.

  • ... add x points to message score.

    If a message is accepted for delivery or quarantined, you may add the specified number of points, by default 2.0, to the score of the message. By default, this is enabled.

  • When SPF processing returns a PASS result ... add x points to message score

    If SecurityGateway does an SPF check and can verify the connecting agent as a valid sender for the domain given, it can add the specified amount of points, by default 0.0, to the message score. If you choose to enable this, remember to set the amount of points added to a negative number. By default, this is disabled.

  • Exclude messages from whitelisted senders

    If the sending IP address is on the server's whitelist, then SecurityGateway will not do a SPF check on the message. By default, this is disabled.

  • Exclude messages from authenticated sessions

    If the connecting user authenticates their session using a username and password on the SecurityGateway server before sending the message, SecurityGateway will not do an SPF check on the message. By default, this is enabled.

Note that the following options are set for the entire server:

  • Insert 'Received-SPF' header into messages

    SecurityPlus will insert a 'Received-SPF' header into messages with the status of the SPF check performed, for later reference. By default, this is enabled.

    • ... except when the SPF result is 'none'

      If the purported sending domain does not have a SPF record registered, SecurityGateway will not add the above 'Received-SPF' header to the message. By default, this is enabled

      Additional Comments

      All settings, excepted for the two specified, can be configured for individual domains, or for the entire server.

      Note that SPF and Sender ID perform roughly the same function, but are still different concepts. For more information about the difference between the two, please visit http://www.openspf.org/SPF_vs_Sender_ID

      For more information about Sender ID in general, please visit http://www.openspf.org