Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Subscribers 4 subscribers
  • Views 40470 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Rejected: SPF (SPF check failed)

dijsil

I have received a complaint that an email hasn't been replied to and according to a user within our company he didn't receive it.

after checking from the mail manager there were 3 emails from same person on different dates one of them passed and the others got rejected due to SPF check failed.

Any ideas ?

 



This thread was automatically locked due to age.
  • +1

    seems the senders SPF definition is not correct.

    You see different sender-IP's. Possible the second is not within the SPF record.

    You can check the record and compare the IP here: https://mxtoolbox.com/spf.aspx


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    ok will inform the clients IT Dept

     

    thanks

  • 0 in reply to dijsil

    Or you can skip SPF Check for that domain

    The sender was informed about the error. Don't do nothing because isnt your fault

  • 0

    SPF is a very weak defense.  Most spammers have it configured correctly and many legitimate senders have mistakes.  SPF only matches the internal authorized-as information to the source IP address, and that internal identifier is often unrelated to the "From" information seen by the user.

    If UTM would allow simulation of the impact, it might be useful., but at present I find it useless.

  • 0 in reply to DouglasFoster

    We use SPF within nearly every customer-system. Big ISP's use SPF filtering too.

    It is not a great trick to configure SPF correctly.

    The great advantage is for domain-owner. Spammers are unable to send Spam with my mail-address as source (if receipment use SPF).

    This protects the good reputation of the company.

     


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to DouglasFoster

    Are you sure about that?

    You have to know my dns-server account to change my domain SPF. Or the spammers have to manipulate the UTM spf check, because it is not provided in the email headers or body.

  • 0 in reply to Ol Deda

    Any mailer can put anybody's information in the "From" line seen by the user, which is what matters for social engineering attacks.   SPF is not intended to check what the user sees.  The SPF check is done during the HELO before the user-visible From is even transmitted.

    I think DKIM can be used to validate either the From or the Authorized-As, and DMARC can be used to say that DKIM information must be present, but I do not think it can state that the From is always verifiable. UTM does not seem to support DMARC, nor does my other spam filter, so I may be mistaken.

    Most large companies use third parties for promotional mailing under their name.   Big web platforms like Salesforce also mail under tbe identity of their clients.  These contracts are often established without involvement of the corporate mail team, which is why the SPF informaion is often wrong.

    My attempts to evaluate SPF effectiveness have led me to conclude that the incremental volume of blocked spam is trivial, and less than the number of false positives.   Because UTM only provides a block option for SPF, it is impossible to evaluate blocked messages to discern if they are legitimate or spam.

    That, at least, has been my experience.

  • 0 in reply to DouglasFoster

    You are wrong. SPF Check has nothing to do with the email transmission or email data. Most domain owners authorize only one or multiple ips to send emails in behalf to their emails. And other owners dont put spf record on their mx records. UTM scans for SPF records after the email is received.

    If the owner didn't put a spf record the email will pass. If there is a SPF record but the IP is not there, the email is considered as spam.

    To be clear, the owner of the domain who sends the email in this way protects his domain reputation

  • 0 in reply to Ol Deda

    For anyone interested in digging further, this is the current RFC for SPF

     

    https://tools.ietf.org/html/rfc7208

  • 0 in reply to DouglasFoster

    SPF comes late in the SMTP conversation, just before DATA, I think.  It's no wonder that it is responsible for only about 0.4% of rejections.  RDNS/HELO and RBLs are responsible for 80+% of rejections.  I suspect that the SPF rejections would wind up in the quarantine as probable spam.

    Doug's correct that, especially in the beginning, you must keep an eye on SPF rejections in order to create Exceptions for desired senders.  So, in the UTM today, for overloaded admins, I would no longer suggest selecting the SPF check on the 'Antivirus' tab although that does mean that your Proxy will be responsible for some backscatter to domains whose address was forged in the Reply-To field.

    However, it is recommended to have a robust SPF record in your authoritative name server.  You will want to start with ?all and get to -all once you've identified all of your valid sender IPs.  Hopefully, other people will continue to check SPF.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML