Sender Policy Framework (SPF)
GFI MailEssentials supports the Sender Policy Framework (SPF). The Sender Policy Framework allows you to check whether a particular email sender is forged or not. Most of today's spammers use forged email addresses.
SPF is a community effort that is rapidly gaining ground. SPF requires that the company of the sender has published its mail server in an SPF record. For example if an email is sent from xyz@CompanyABC.com then companyABC.com must publish an SPF record in order for SPF to be able to determine if the email was really sent from the companyABC.com network or whether it was forged. If an SPF record is not published by CompanyABC.com the SPF result will be `unknown'.
How SPF works
Domains use public records (DNS) to direct requests to the machines that perform services (web, email, etc.). All domains already publish email (MX) records to publicly inform which machines receive mail for the domain.
SPF works by domains publishing a text record in the DNS of those domains to publicly inform which machines send mail from the domain. When receiving a message from a domain, GFI MailEssentials can check those records to make sure mail is coming from where it should be.
GFI MailEssentials does not require you to publish any SPF records yourself. If you would like to do this then you can use the SPF wizard at: http://spf.pobox.com/wizard.html.
An example
Suppose a spammer forges CompanyABC.com and tries to spam you.
He connects from somewhere other than CompanyABC.
When his message is sent, you see MAIL FROM: <forged_address@CompanyABC.com>, but you don't have to take his word for it. You can ask CompanyABC if the IP address comes from their network.
In this example CompanyABC publishes an SPF record. That record tells GFI MailEssentials how to find out if the sending machine is allowed to send mail from CompanyABC.
If CompanyABC says they recognize the sending machine, it passes, and you can assume the sender is who they say they are. If the message fails the SPF tests, it's a forgery. That's how you can tell it's probably a spammer.
For more information on SPF and how it works, please visit the Sender Policy Framework Web Site at http://spf.pobox.com.
SPF on a perimeter (gateway) SMTP server
The perimeter SMTP server is the machine which receives emails directly from the Internet. If you have installed GFI MailEssentials on a perimeter SMTP server, you do not need configure any settings on GFI MailEssentials (i.e. you do not need to configure the perimeter [gateway] SMTP server options in the Perimeter SMTP Servers tab of the Anti spam properties).
SPF on a non-perimeter (gateway) SMTP server
If GFI MailEssentials is NOT installed on a perimeter SMTP server, you must configure the `Perimeter SMTP Servers' option in the Anti Spam node properties. To setup this option, right click on the Anti spam node > select Properties and click on the Perimeter SMTP Servers tab.
If you are not sure if you have installed GFI MailEssentials on your perimeter SMTP server, you can make use of the `Auto Discovery' button in the Perimeter SMTP setup option to perform a DNS MX lookup and automatically define the IP address of your perimeter SMTP server.
For further details on how to configure your perimeter SMTP server option, please refer to the `Defining your Perimeter (Gateway) SMTP Server settings' section in this chapter.
Configuring the SPF feature
The configuration of SPF is done from the Anti Spam > Sender Policy Framework node. Right-click on this node to open the SPF properties.
SPF block level
Screenshot 27 - Configuring the SPF block level
The rejection level allows you to set the sensitivity of the SPF test. You can choose between 4 levels:
Never: Never block any messages. When this option is selected SPF tests are not done on incoming emails.
Low: Only block messages which are determined to have a forged sender. This option will treat any message with a forged sender as spam.
Medium: Block messages which appear to have a forged sender. This option will treat any messages that appear to have a forged sender as spam. This is the default and recommended setting.
High: Block any message which is not proven to be from the sender. This option will treat all mail as spam unless it could be proven that the sender is not forged. Since the majority of mail servers do not yet have an SPF record this option is not yet recommended.
Screenshot 28 - Current Perimeter SMTP Server setup
After you define the sensitivity required for your SPF test, click on the Apply button to save this configuration. If you have already specified in GFI MailEssentials that this computer is not your perimeter SMTP server (refer to `Defining your perimeter (gateway) SMTP server' section in this chapter), a dialogue similar to the one shown above will pop up. This dialogue shows the perimeter SMTP server settings that you have configured in GFI MailEssentials (i.e. the IPs specified for your perimeter SMTP server).
If GFI MailEssentials is installed on your perimeter SMTP server or if you have not yet specified that the mail server on which GFI MailEssentials is installed is not a perimeter SMTP server (refer to `Defining your perimeter(gateway) SMTP server' section in this chapter), the dialogue shown below will pop up.
Screenshot 29 - Reminder: SPF must be installed on the perimeter SMTP server.
This dialogue will remind you that if this computer is not a perimeter server, you must configure the `Perimeter SMTP Servers' option in the Anti Spam node properties (right click on the Anti Spam node > select `Properties' and click on the Perimeter SMTP server tab). For further information on how to configure your perimeter SMTP server, please refer to the `Defining your perimeter (gateway) SMTP Server' section in this chapter.
Click on the OK button to close the dialogue on display. If you wish to test your DNS settings/services, click on the Test button located on top of the Apply button.
Configuring Exceptions
Screenshot 30 - Configuring the SPF exceptions
This page allows you to configure the IP addresses and recipients that should be excluded from SPF checks.
IP exception list: IP addresses in this list will automatically pass SPF checks. Click on `Add...' to add a new IP address. To remove an IP address, select it from the list and click on Remove. To disable the IP exception list uncheck the 'IP exception list' checkbox.
Recipient exception list: This option allows certain recipients to always receive their email, even if the messages should be rejected. A recipient exception can be entered in one of three ways:
- localpart - "abuse" (matches "abuse@abc.com", "abuse@xyz.com", etc...)
- domain - "@abc.com" (matches "john@abc.com", "jill@abc.com", etc...)
- complete - "joe@abc.com" (only matches "joe@abc.com")
To disable the recipient exception list uncheck the 'Recipient exception list' checkbox.
Trusted Forwarder Global Whitelist: The Trusted Forwarder Global Whitelist (www.trusted-forwarder.org) provides a global whitelist for SPF users. It provides a way of allowing legitimate email that is sent through known, trusted email forwarders from being blocked by SPF checks because the forwarders do not use some sort of envelope-from rewriting system. By default this setting is enabled. It is recommended to always leave this option enabled.
Actions tab
After you have configured the SPF feature, click on the Actions tab to specify what you want to do with mails marked as Spam by the SPF filter. For more information on possible actions, please refer to the `Actions - what to do with spam mail' section in this chapter.
Other tab
Please refer to the `Other options' section in this chapter.
Defining your Perimeter (Gateway) SMTP Server
The perimeter SMTP server is the Mail server gateway which processes emails received directly from the Internet.
Figure 2 - A typical Perimeter SMTP Relay Server setup
Such gateway SMTP servers are generally specified and configured in the DNS MX records of a domain and are often setup on a De-Militarized Zone (DMZ). The DMZ (see figure above) is a public internal network typically used exclusively for servers that are accessed by external clients on the Internet, such as Web, FTP and Mail servers.
If the inbound emails arriving to the server on which GFI MailEssentials is installed are being relayed from another gateway server, then you must specify your gateway SMTP server details using the Perimeter SMTP Servers tab in the Anti Spam properties in order for the SPF filter to work correctly. (e.g., let's take into account a company in England, which receives all its emails on an SMTP server located in the USA. Since the SMTP server in USA will subsequently relay all emails received to the local SMTP server in England, then the SMTP server in USA is the perimeter gateway server for the company in England i.e. when the company in England installs GFI MailEssentials on its local SMTP server, they must make sure to enable the option in the perimeter SMTP servers page and specify the details of the SMTP server in USA for the SPF filter to work correctly).
Screenshot 31 - Perimeter SMTP Server Setup
When GFI MailEssentials is not installed on the perimeter SMTP server, you must:
1. Right click on the Anti Spam node and select Properties.
2. Click on the `Perimeter SMTP Servers' tab and enable the `This machine is not a perimeter SMTP server' option.
3. Click on the Add button and specify the IP address of your perimeter (gateway) SMTP server. Repeat the same process if you want to specify alternative perimeter SMTP servers which you might have available. Please make sure to specify your perimeter SMTP servers in their order of preference, with the actual perimeter server being the one at the top of your list, followed by its alternatives.
NOTE: You can click on the `Automatic discovery...' button to perform a DNS MX lookup which will automatically search and retrieve the IP's of perimeter SMTP servers configured on your local domains.
