Sender Policy Framework
This filter uses SPF records to stop email sent from forged IP addresses by identifying if the sender IP address is authorized. The Sender Policy Framework filter is based on a community-based effort, which requires that the senders publish the IP addresses of their mail servers in an SPF record.
Example: If an email is sent from xyz@CompanyABC.com then companyABC.com must publish an SPF record in order for SPF to be able to determine if the email was really sent from the companyABC.com network or whether it was forged. If an SPF record is not published by CompanyABC.com, the SPF result will be ‘unknown’.
For more information on SPF and how it works, visit the Sender Policy Framework website at:
NOTE
GFI MailEssentials does not make it a requirement to publish an SPF record.
The SPF filter is NOT enabled by default and it is recommended to enable this option and to have this filter running prior to the Email Whitelist so to block forged senders before these are whitelisted.
Prerequisites
Before enabling the Sender Policy Framework filter on a non-gateway server installation:
- Go to General Settings > Perimeter SMTP Servers.
- Click Detect in the SMTP Server list area to perform a DNS MX lookup and automatically define the IP address of your perimeter SMTP server.
Enabling the Sender Policy Framework
- Select Anti-Spam > Anti-Spam Filters > Sender Policy Framework.
Enable and configure the Sender Policy Framework
- Click Enabled to enable the Sender Policy Framework filter. If the email sender IP address is definitely not authorized to send emails from the sender domain, emails are blocked.
- Optionally, select Enable Advanced SPF filtering and select one of the advanced option from:
| Option | Description |
|---|---|
| Block SOFT FAIL result |
Blocks all emails which:
For more information on Advanced SPF filtering, refer to: |
| Block SOFT FAIL, Neutral, Unknown and NONE results |
Blocks all emails which:
For more information on Advanced SPF filtering, refer to: |
- Select IP Exceptions or Email Exceptions tab to configure IP addresses and/or recipients to exclude from SPF checks:
- IP exception list: Entries in this list automatically pass SPF checks. Select IP Exception List checkbox,add a new IP address and description and click Add. To remove entries, select entries from the list and click Remove Selected. To disable the IP exception list unselect IP Exception List checkbox.
NOTE
When adding IP addresses to the IP exception list, you can also add a range of IP addresses using the CIDR notation.
- Email exception list: This option ensures that certain email senders or recipients are excluded from SPF checking, even if the messages are rejected.Select Email Exception List checkbox,add a new email address and description and click Add. To remove entries, select entries from the list and click Remove Selected. To disable the Email exception list unselect Email Exception List checkbox. An email address can be entered in any of the following three ways:
- local part - ‘abuse’ (matches ‘abuse@abc.com’, ‘abuse@xyz.com’, etc...)
- domain - ‘@abc.com’ (matches ‘john@abc.com’, ‘jill@abc.com’, etc...)
- complete - ‘joe@abc.com’ (only matches ‘joe@abc.com’)
- Click Actions tab to select the actions to perform on messages identified as spam. For more information refer to Spam Actions - What to do with spam emails.
- Click Apply to save settings.