SPF setup (or internal) question

SPF enforcement should have no effect on domains with no SPF record.

SPF only checks the SMTP From, not the header From seen by users.  So it may help with sone but not all of the spam.

The SMTP From is supposed to represent the logged in user at the sending system.  Some websites that use your email as login think that gives them the right to send mail on your behalf using your email address.  This violates SPF, so watch for desired mail getting blocked.

Plenty of businesses have SPF entries that end in maybe (?all) or softfail (~all) .  These are probably handled by UTM the same as no SPF arecord at all

So in a UTM, when you choose to use SPF, the mail with no SPF will be marked as spam? 

If no SPF is set up for a domain the email passes normal. I think this would be RFC conform in every system.

In my mind SPF is a system without very harmful potential, but with even not 100% guaranteed protection. So give it a try.

Best

Alex

We use SPF check on our UTM since long and also receiving mail on 4 different domains on the UTM.

SPF-check checks the sending domain's domain for an existing SPF-record. If none exists there simply is nothing to check and mail is accepted.

If a record does exist and ends in -all (reject all others) then the UTM will reject (quarantine) mail that is sent from somewhere it is not configured to be sent from by the domain owner of the sending domain.

In our experience those domains ending in -all usually have the record pretty nicely configured and mail will come through. We once had a client that switched internet provider and forgot about the SPF-record. This was a reason form all mails from this client to be quarantined until they reconfigured their SPF-record again.

Thanks, we have a simular setup. 

Only problem we encounter now, is that for the internal email adressen, I need to apply "strict" rules.

Somehow the UTM accepts it when you do to xyz@abc.com from xyz@abc.com (abc.com is an internal domain)

When I set SPF check and create a strict rule all is ok.

Is there another way to prevent outside adresses to spoof internal adresses? 

(Tested it with https://www.wormly.com/test-smtp-server)

What do you mean by a "strict rule"?   Do you mean "Strict Reverse DNS", or something else?   I do not see a "Strict" setting for SPF. 

Strict reverse DNS will block some traffic, but for unrelated reasons.   The experts at IETF think it is not an effective spam defense.  See RFC 7601, section 2.7.3 on "iprev", for additional information.

SPF is designed to check the SMTP From information, which is part of the headers that the user never sees.   It is designed to be checked before the whole message is received, which means that it occurs before the FROM Header (the one seen by the user) is transmitted.

Your problem is most likely occurring because the FROM Header is fraudulent.   I don't know how to fix that with UTM.  I don't think the Exim engine inside UTM is capable of checking the FROM Header.   (I have made this assertion on other occasions in this forum, and it has not yet been disputed or confirmed.)

Correct, 

The from header is fraudulent. (from external IP adresses) they spoof "internal" domain(s) 

Only way to fix this to use "strict" SPF. 

Hoi Henk-Jan and welcome to the UTM Community!

Guys, please vote for and comment on In Anti-Spam, Expression-check everything after DATA or include From .

Cheers - Bob