search cancel

Sender Authentication rule is triggered for domains not listed in "Authenticate only the following domains"


Article ID: 172650


Updated On:


Messaging Gateway


You have configured Sender Authentication (SPF, SenderID or DMARC) and selected the option, "Authenticate only the following domains". Some domains that are not on the list of domains are getting a Sender Authentication verdict and triggering the content policy.


This is caused by a previous server adding an Sender Authentication (SPF, SenderID or DMARC) header to the message.


Update: This issue has been addressed in SMG 10.7.3-5 and later. Existing SPF headers will be removed prior to scanning to prevent false positives from our SPF rules.


Currently the workaround is to add a second condition to the content rule for SPF, SenderID or DMARC that looks for the Authentication-Results header for SMG.

  1. Check the rule and click Edit.
  2. Change "Which of the following conditions must be met" from Any to All.
    1. Under Conditions, change "Which of the following conditions must be met" from "Any" to "All"
    2. Click Add to a condition matching the following:
      1. Text in this specific part of the message: "Message Header"
      2. Header name: "Authentication-results" (without the quotes)
      3. Contains 1 : "symauth.service.identifier" (without the quotes)
      4. Click Add Condition.
  3. Optionally change the action of the rule under Actions.
  4. Optionally apply the rule to policy groups under Apply to the following policy groups.
  5. Click Save.