SPF Check not working on UTM 9

I don't think so.  That's in response to the 21 Nails threat.

Cheers - Bob

SPF behavior depends on the implementation.    An invalid clause, or an unresolvable include, should always trigger PERMERROR, so UTM is behaving correctly.   

But a savvy implementation can try to work with what it has.   I use an implementation of SPF which has a selectable level of strictness.   In the relaxed mode, which I use, it can return two results:  PERMERROR because of the syntax problem, and a second result based on whatever could be determined from the valid clauses.

My complaints against the UTM implementation of SPF include:

- Difficult or impossible to create an exception that says, "If SMTP domain is Example.com, and the host name ends with Outlook.com, and the host name forward-confirms to the IP address, then treat the message equivalent to SPF PASS".  This is a typical SPF policy error.

- Impossible to run in test mode to see which domains have SPF errors, so that exceptions can be created before I begin enforcing SPF.

My configuration solves that.  It uses SmarterMail (free version) from SmarterTools.com as the incoming gateway, Declude (also free) from MailsBestFriend.com as a filtering engine underneath SmarterMail, and our own customization scripts to call the Python PYSPF library (also free).    The SmarterMail/Declude/Phython configuration receives incoming mail first, then hands it off to the UTM spam filter for additional testing, before passing the allowed messages to my mail server.

MailsBestFriend can provide per-hour services to help you get started with SmarterMail and Declude,