Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Central Email Reverse DNS Check

Hi ,

ich have configured Sophos Central Email. I tested a little bit and i think it works really well.

But:

I could send me a mail from an Domain without spf and dkim or dmarc from an not authorized ip.

Is it right that Sophos does not check RDNS entries???

Thanks,

Andreas



This thread was automatically locked due to age.
Parents Reply Children
  • Yes we do RDNS look ups for reputation but that doesn't mean SPF, DKIM, DMARC hence my question about Email Authentication

  • I hope i understand everything right.

    I will give you an example. 

    I have a domain with no SPF record , DKIM or DMARC. 

    I tried to spoof the domain. I took a Server with a public IP with no RDNS record. This server is not allowed to sent from this domain. Not in MX. I sent a mail from this server to my domain behind Sophos Central EMail.

    The email passed and was not blocked. I think when there is nothing to check from SPF or DKIM or DMARC Sophos cannot block it this way. But i think the mail should be blocked from things like MX records and RDNS if there is no SPF ? 

    I think the hardware appliances work a little bit different. I have only worked with Sophos XG appliances many years before now.

  • What says the server is not allowed to send from that IP address? Generally SPF records indicate who/which IP are authorized to send on behalf of a domain and if they fail that check then Sophos Central can be configured to do something with those messages. SMTP is a very old and weak technology when it comes to spoofing email, which is why Email Authentication like DMARC, SPF, DKIM were developed and continue to be refined to handle those spoof attempts. Just because a server doesn't have an MX doesn't mean it can't send email, it won't receive email because other parties won't know where to deliver because the MX is just a pointer like a house address. Now if there is no SPF record for the domain then admins have to decide how to handle those messages, in the Help Documentation we put in flow charts that explain the process.

    https://doc.sophos.com/central/customer/help/en-us/ManageYourProducts/EmailSecurity/EmailSecurityPolicy/Authentication/SenderChecks/EmailSenderCheckSequence/index.html