As a best practice, Symantec recommends that all customers add "include: spf.messagelabs.com
" to the existing SPF record of the protected domain even if the outbound delivery route from the protected domain does not use Email Security.cloud.
Adding the Email Security.cloud servers to the SPF record to the protected domain can prevent various mail routing issues, such as those that arise when one customer of Email Security.cloud sends an email message to another customer of Email Security.cloud and the sender has specified "Hard Fail", i.e., "-all" for action under their SPF Record.
For example, if you send an outbound emails to another customer domain which has SPF Check turned on, the following occurs:
The above example gives you an idea why it is critical to have SPF Record of Symanctec.Cloud Email Servers included if you have chosen to use a hard fail as the action for your SPF Record.
Another popular reason for implementing and enforcing SPF is to drop mail messages that have a spoofed sender. This reduces the amount of Backscatter. Backscatter is actually one or more NDRs your users may receive for emails they may never have sent out. What happens is that a spammer uses one of your emails addresses as the Env Sender address for their spam attack on other systems. When one or more of the email addresses are not valid on the recipient side, they issue an NDR which ends up sent to your user. In this case, if the recipient side had SPF Check on and your domain had an SPF record issue with hard fail, all those emails would have been rejected and you would not receive any NDR.
To enforce SPF for a domain protected by Email Security.cloud
To enable enforcement of SPF within the Client portal
To add the Email Security.cloud mail servers to an existing SPF record
include:spf.messagelabs.com
include:messagelabs.com
", as most SPF implementations will not iterate through include entries across SPF records for multiple domains. The needed records are in the SOA for spf.messagelabs.com.
About other Anti-Spam features available within the Client portal for Email Security.cloud
Enforcing Sender Policy Framework is only one of many possible ways to reduce spam or other undesired messages to your protected domain. For an overview of the other features available on the Services > Anti-Spam page within the Client portal, see the following help page:
https://techdocs.broadcom.com/us/en/symantec-security-software/email-security/email-security-cloud/1-0/about-anti-spam-detection-settings-and-actions-toc216426968-d2923e687.html
Where to find more information on SPF