Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

Sophos Email: The proper host to do SPF sender checks

Hi everyone!

Do you sometimes see sender checks like SPF do not work as expected? 

For example in Sophos Email that it was accepted but sender check failed in the recipient email server?

This might be because the checks are not done in the proper host.

The recommended host to do SPF checks should be the one accepting the emails on behalf of the protected domain.

What is happening?

Sender checks work best when it can see the sender server's identity information like IP address, domain name, host name, etc. 

It all boils down to how SPF works. 

When an inbound email comes, the recipient email server that have SPF checking enabled looks at the IP address and domain that the email is coming from.

It then checks the sender domains SPF record for the list of IP addresses/hosts that are authorized to send email on behalf of that domain.

If the IP address/host is not found, then an SPFfail will result.

The problem comes up when the SPF check is done behind the server that originally accepted the email on behalf of the protected domain because what this server sees is the upstream server's IP address instead of the sender's original IP. 

For example, lets use Gateway mode for this:

Sender email server --> Sophos Email --> Recipient Email server.

So based on this scenario, the sender check should be performed in Sophos Email instead of the recipient email server. 

How about Mailflow mode?

Sender email server --> M365 --> Sophos Email  ---> M365 email server.

In this scenario since M365 is the one immediately accepting the email from the sender, this should be the one performing the check instead of Sophos Email.

Here is another example, this time not even having Sophos Email in the scenario:

Sender email server --> Email server 1 --> Email server 2 --> Email server 3

If sender check is done in Email server 2, it will see Email server 1's IP address as the originating IP address and therefore will have the wrong SPF result.

If sender check is done in Email server 3, it will see Email server 2's IP address as the originating IP address and therefore will also have the wrong SPF result.

Having the sender check in Email server 1 will have an accurate SPF result.

What to do:

The quickest way to determine which host should be doing the sender check is by looking at the MX record for the recipient domain.

What ever host the MX record for that domain points to, should be the one performing SPF checks. This is because since it is the one which have real visibility of the sender server's IP, domain, hostname, etc. then it will have the most accurate sender assessment result.

Guideline: To avoid incorrect sender check results, make sure only the edge server is the only one performing sender checks as any check downstream will mostly see the server's IP address before it relaying the email instead of the real originating one.

Edited Title
[edited by: Raphael Alganes at 8:34 AM (GMT -8) on 11 Jan 2024]