Sender Policy Framework (SPF)

GFI MailEssentials supports the Sender Policy Framework (SPF). The Sender Policy Framework allows you to check whether a particular email sender is forged or not. Most of today’s spammers use forged email addresses.

SPF is a community effort that is rapidly gaining ground. SPF requires that the company of the sender has published its mail server in an SPF record. For example if an email is sent from xyz@CompanyABC.com then companyABC.com must publish an SPF record in order for SPF to be able to determine if the email was really sent from the companyABC.com network or whether it was forged. If an SPF record is not published by CompanyABC.com, the SPF result will be ‘unknown’.

How SPF works

Domains use public records (DNS) to direct requests to the machines that perform services (web, email, etc.). All domains already publish email (MX) records to publish the machines that receive email for the domain.

For SPF to work, domains need to publish a text record in the DNS of those domains to publish the machines that send email from the domain. When receiving a message from a domain, GFI MailEssentials can check those records to make sure email is coming from where it should be.

GFI MailEssentials does not require you to publish any SPF records yourself. If you would like to do this then you can use the SPF wizard at http://www.openspf.org/wizard.html.

An example

Suppose a spammer forges CompanyABC.com and tries to spam you.

He connects from somewhere other than CompanyABC.

When his message is sent, you see MAIL FROM: <forged_address@CompanyABC.com>, but you do not have to take his word for it. You can ask CompanyABC if the IP address comes from their network.

In this example, CompanyABC publishes an SPF record. That record tells GFI MailEssentials how to find out if the sending machine is allowed to send email from CompanyABC.

If CompanyABC says they recognize the sending machine, it passes, and you can assume the sender is who they say they are. If the message fails the SPF tests, it is a forgery. That is how you can tell it is probably a spammer.

For more information on SPF, and how it works, visit the Sender Policy Framework website at http://www.openspf.org.

SPF on a perimeter (Gateway) SMTP server

The perimeter SMTP server is the machine that receives emails directly from the Internet. If you have installed GFI MailEssentials on a perimeter SMTP server, you do not need configure any settings on GFI MailEssentials (i.e. you do not need to configure the perimeter [gateway] SMTP server options in the Perimeter SMTP Servers tab of the Anti-spam properties).

SPF on a non-perimeter (Gateway) SMTP server

If GFI MailEssentials is NOT installed on a perimeter SMTP server, you must configure the ‘Perimeter SMTP Servers’ option in the Anti-spam node properties. To setup this option, right click on the Anti-spam node > select Properties and click on the Perimeter SMTP Servers tab.

If you are not sure if you have installed GFI MailEssentials on your perimeter SMTP server, you can make use of the ‘Auto Discovery’ button in the Perimeter SMTP setup option to perform a DNS MX lookup and automatically define the IP address of your perimeter SMTP server.

For further details on how to configure your perimeter SMTP server option, please refer to the ‘Defining your Perimeter (Gateway) SMTP Server settings’ section in this chapter.

Configuring the SPF feature

The configuration of SPF is done from the Anti-Spam > Sender Policy Framework node. Right click on this node to open the SPF properties.

SPF block level

Screenshot 38 - Configuring the SPF block level

The rejection level allows you to set the sensitivity of the SPF test. You can choose between four levels:

Never: Never block any messages. When this option is selected, SPF tests are not done on incoming emails.

Low: Only block messages that are determined to have a forged sender. This option will treat any message with a forged sender as spam.

Medium: Block messages which appear to have a forged sender. This option will treat any messages that appear to have a forged sender as spam. This is the default and recommended setting.

High: Block any message that is not proven to be from the sender. This option will treat all email as spam unless it could be proven that the sender is not forged. Since the majority of mail servers do not yet have an SPF record, this option is not yet recommended.

After you define the sensitivity required for your SPF test, click on the Apply button to save this configuration. If you have already specified in GFI MailEssentials that this computer is not your perimeter SMTP server (refer to ‘Defining your perimeter (gateway) SMTP server’ section in this chapter), a dialog box similar to the one shown below will pop up. This dialog box shows the perimeter SMTP server settings that you have configured in GFI MailEssentials (i.e. the IPs specified for your perimeter SMTP server).

Screenshot 39 – Current Perimeter SMTP Server setup

If GFI MailEssentials is installed on your perimeter SMTP server or if you have not yet specified that the mail server on which GFI MailEssentials is installed is not a perimeter SMTP server (refer to ‘Defining your perimeter (gateway) SMTP server’ section in this chapter), the dialog box shown below will pop up.

Screenshot 40 - Reminder: SPF must be installed on the perimeter SMTP server.

This dialog box will remind you that if this computer is not a perimeter server, you must configure the Perimeter SMTP Servers option in the Anti-spam node properties (right click on the Anti-Spam node and select Properties. Click on the Perimeter SMTP Servers tab). For further information on how to configure your perimeter SMTP server, please refer to the ‘Defining your perimeter (gateway) SMTP Server’ section in this chapter.

Click on the OK button. If you wish to test your DNS settings/services, click on the Test button located on top of the Apply button.

Configuring Exceptions

This page allows you to configure the IP addresses and recipients that should be excluded from SPF checks.

Screenshot 41 - Configuring the SPF exceptions

IP exception list: IP addresses in this list will automatically pass SPF checks. Click on the Add button to add a new IP address. To remove an IP address, select it from the list and click on the Remove button. To disable the IP exception list uncheck the IP exception list checkbox.

Recipient exception list: With this option you can ensure that certain recipients always receive their email, even if the messages should be rejected. A recipient exception can be entered in one of three ways:

•	localpart – ‘abuse’ (matches ‘abuse@abc.com’, ‘abuse@xyz.com’, etc...)

•	domain – ‘@abc.com’ (matches ‘john@abc.com’, ‘jill@abc.com’, etc...)

•	complete – ‘joe@abc.com’ (only matches ‘joe@abc.com’)

To disable the recipient exception list uncheck the Recipient exception list checkbox.

Trusted Forwarder Global Whitelist: The Trusted Forwarder Global Whitelist (www.trusted-forwarder.org) provides a global whitelist for SPF users. It provides a way of allowing legitimate email that is sent through known, trusted email forwarders from being blocked by SPF checks because the forwarders do not use some sort of envelope-from rewriting system. By default, this setting is enabled. It is recommended to leave this option enabled always.

Actions tab

After you have configured the SPF feature, click on the Actions tab to specify what you want to do with emails marked as Spam by the SPF filter. For more information on possible actions, please refer to the ‘Actions – what to do with spam email’ section in this chapter.

Other tab

Please refer to the ‘Other options’ section in this chapter.