Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.
Where does the UTM document whether it successfully validated SPF records? and with which IP and or Domain it was validated?
I have to investigate a phishing campaign and i have access to the email itself as well as the smtp log file.
In neither of them i can see any SPF check results.
SPF is and was enabled.
Hallo,
The sending domain must specify SPF for it to be checked. In the SMTP Proxy log, search for SPF and spf to see passes and failures.
Post the headers from the email here with your private information obfuscated.
Cheers - Bob
You may want to review this post, where I provide general information about parsing and interpreting the SMTP log filee. I don't do SPF checks in UTM, so it is not called out in my document, but it would certainly be part of the EXIM-IN phase.
https://community.sophos.com/utm-firewall/f/mail-protection-smtp-pop3-antispam-and-antivirus/114272/how-to-analyze-the-smtp-log-file
Case closed.
When the mail was received, no SPF record has yet been set and it got added later. So that when the investigation started it was present.