Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
romanr
Valued Contributor

SPF Checking

Hi, I activated sender-policy-framework some time ago on some fortimails! After having a look through the logs I can see, that SPF checking is being performed, but actually mails are not getting blocked as they should! Log messages say: SPF indicates that MTA (xxxxxx) is not permitted to send email for xxxx.xx ..... but email is still getting through if there is not any other spam-filter hitting it.... The Docs say " An unauthorized client IP address increases the client sender reputation score. An authorized client IP address decreases the client sender reputation score." .... But what if I want to block mails, whose SPF records doesn' t match the originating IP?!?!?!? cheers.roman
4 REPLIES 4
npassion
New Contributor

Using SPF itself to make spam/ham decision would cause many false positives. SPF result coupled with deep header analysis (AntisSpam profile > Deep header analysis > Header analysis) would block some SPF violated emails.
ORIGINAL: romanr Hi, I activated sender-policy-framework some time ago on some fortimails! After having a look through the logs I can see, that SPF checking is being performed, but actually mails are not getting blocked as they should! Log messages say: SPF indicates that MTA (xxxxxx) is not permitted to send email for xxxx.xx ..... but email is still getting through if there is not any other spam-filter hitting it.... The Docs say " An unauthorized client IP address increases the client sender reputation score. An authorized client IP address decreases the client sender reputation score." .... But what if I want to block mails, whose SPF records doesn' t match the originating IP?!?!?!? cheers.roman
romanr
Valued Contributor

ORIGINAL: npassion Using SPF itself to make spam/ham decision would cause many false positives.
Why? If there is a SPF record for a domain, I would like to reject any mail, from servers, that aren' t listed there!
SPF result coupled with deep header analysis (AntisSpam profile > Deep header analysis > Header analysis) would block some SPF violated emails.
In my opinion the deep-header analysis brings up alot false positives... I just use it to quarantine in certain situations... cheers.roman
npassion

There are many poorly configured mail servers with valid SPF records that would fail SPF check. One case of such poorly configured mail servers could be: An ISP has a mail server that allows end user to set his/her reply address as his/her account on another mail serser, says xxx@gmail.com. However, this mail server would use xxx@gmail.com as envelope from to send outbound email. This sending behavior would fail SPF check.
romanr
Valued Contributor

ORIGINAL: npassion There are many poorly configured mail servers with valid SPF records that would fail SPF check. One case of such poorly configured mail servers could be: An ISP has a mail server that allows end user to set his/her reply address as his/her account on another mail serser, says xxx@gmail.com. However, this mail server would use xxx@gmail.com as envelope from to send outbound email. This sending behavior would fail SPF check.
You' re right with that one! But for corporate usage, I wouldn' t have a problem with those getting rejected! Honestly... I WANT those to be rejected.... just for spoofing protection! cheers
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors