Configuring SPF for client authorization
search cancel

Configuring SPF for client authorization

book

Article ID: 154525

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

You are seeing messages from a "trusted" source failing the SPF check.

Messages are failing the SPF check.

Cause

Symantec Messaging Gateway is working as designed; however if you want to configure exceptions for the SPF modules you might have to build some content filtering policies.

By using nslookup or dig, you can get the TXT records for the problematic domain and you will notice that its IP address is not in the SPF record:
example.net           3600    IN      TXT     "v=spf1 ip4:192.168.1.1 ~all"
example.com.          7200    IN      TXT     "v=spf1 ip4:192.168.1.2 -all"

In this example, you are receiving messages from the domain example.com, destined to yourdomain.com, SMG will verify the connecting IP against the example.com domain and not yourdomain.com thus rendering the SPF fail verdict. You need to "authorize" the messages based on the  "sender domain".

Resolution

When enabling SPF on Symantec Messaging Gateway (SMG) 9.5.x, all inbound messages coming to SMG will get a header that has the following format:
Authentication-Results: spf=RESULT

The RESULT field usually has the value fail or softfailStarting with version 9.5, we now provide a sample content filtering policy to treat the softfail result, fail will be using the policy configured under Spam -> Sender Authentication; however you can configure that policy to  "Deliver message normally" and then use a content filtering policy to deal with that result separately.

Here is an example of a policy that would detect the fail result and it will authorize delivery if the sender domain matches the policy:

1) Change the default SPF policy to deliver messages normally under Spam -> Sender Authentication
2) Create an "Inbound" content filtering policy to look for the header:
If text in Message header "Authentication-Results" contains 1 or more occurrences of "spf=fail"
3) Add another condition to look for the "authorized" domains:
If text in From/To/Cc/Bcc Address part of the message does not match regular expression ".*\@example\.com$"
4) Set the action you want to take on the messages that do not match the criteria above.
5) Select the group(s) that you want to apply that policy
6) Click SAVE

 

NOTE: You might need to add extra conditions if you have to authorize other domains. Make sure this policy is at the very top of the content filtering policies page.


Applies To

- Symantec Messaging Gateway 9.5.x
- The sender domain is not listed as an authorized source for your domain.

Powered by Wolken Software