This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Notification email from do-not-reply@fw-notify.net identified as SPAM and being inherently blocked by many email services

First time poster, long time personal user since Astaro days.

Recently, many Internet email providers have started requiring email being received to include at least one of many "standards" based mechanisms that attempt to verify the originating source as authentic. This trend can be characterized as an effort to combat the rampant distribution of UCE (Unsolicited Commercial Email), commonly, but incorrectly known as SPAM (sorry Hormel).

In many cases, an Internet email host wants to see a valid SPF (Sender Policy Framework, tools.ietf.org/.../rfc7208) record associated with the originator, or a valid DKIM (Domain Keys Identified Mail, http://dkim.org/) block that cryptographically authenticates the fact that at least some of the content of the received email message has not changed.

Sophos has mitigated the SPF issue by creating an SPF DNS record for fw-notify.net as follows:

Type Domain        Record Content    TTL

TXT  fw-notify.net v=spf1 a mx -all  14708

See: https://community.sophos.com/kb/en-us/115536 for more information on the fw-notify.net domain used for notification.

Thus, if an email system (SMTP) receives a message from a user at fw-notify.net, and the receiving system requires a valid SPF, the receiving email system scores the email from fw-notify.net as passing the SPF check.

Regarding Domain Keys Identified Mail, I suggest reading this short but extremely informative blog post by Jett Pendleton

https://www.sparkpost.com/blog/understanding-spf-and-dkim/

Now that you understand some of the methods being employed to combat UCE, I'll present my question, and a proposed feature enhancement for Sophos UTM.

My first question is, can I substitute an external mail server for the Sophos internal server originating the notifications from the fw-notify.net domain?

My second question is does, or can Sophos support DKIM in the UTM?

If Sophos does not currently support DKIM, I strongly suggest that they include this feature going forward.

I am certainly willing to participate in a project to get this feature implemented, particularly since most mainline email services for both individuals and enterprises seem to be moving in the direction of requiring DKIM signed and hashed communications.

Please advise and comment.

Best regards,

Gregg Rasor



This thread was automatically locked due to age.
Parents
  • The UTM 's SMTP Proxy is capable of adding a DKIM header, Gregg, you only need to configure your mail server to use the UTM as a smart host for outbound email.  If you would like a copy of my guide for configuring DKIM, PM me your email address.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    My SG135 just started to be rejected this week.  My domain and email are hosted by a local company.  I am in contact with them and they said this was the problem.  They also said getting your guide would be worth a try.  Could you please provide?

    They also asked if there is any way to change the "From" email address.  I'm guessing not?

    Thanks!!

    Kay

  • Hi Kay,

    Glad to send it.  Please send a PM with your email address.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply Children