Overview

You may be receiving spam where the sender information is specified as your domain. In this case, the recommended solution would be to add both an SPF (Sender Policy Framework, an open-source equivalent to Caller ID) and Caller ID (A DNS based test to filter messages from fake sender addresses) record for your email domain.

This will ensure that spammers may not spoof your email domain when sending email to your Kerio Connect. It will also prevent spoofing of your domain for messages sent to other email servers that perform lookups against SPF or Caller ID records.

This article explains how the SPF and Caller ID records should be created and other relevant considerations for this scenario.

Information

Let us understand the scenario using an example, which will use the domain radiusadvertising.com. The outgoing Kerio Connect for this domain is mail.radiusadvertising.com, which resolves to 63.194.168.220. We want that any email containing radiusadvertising.com in the From header and SMTP envelope should be refused unless it was sent from 63.194.168.220.

This will require a special DNS configuration called a TXT record. Note that many DNS hosting providers may not support configuration of such records. If you do not host your DNS, you will need to contact your DNS hosting provider (usually the domain registrar) to find out if they will support configuration of TXT type DNS records. We will use Network Solutions in this example, as they support both SPF and Caller ID type TXT records.

Given an outgoing IP of 63.194.168.220, our SPF and Caller ID records would be created exactly this way:

SPF:

v=spf1 mx ip4:63.194.168.220 -all

Caller ID:

<ep xmlns='http://ms.net/1'><out><m> <r>63.194.168.220</r> </m></out></ep>

Note that when configuring the Caller ID record, you must create a special host entry of _ep.yourdomain.com (see the TXT record screenshot below).

For your email domain, you may replace the IP address from this example, with the outgoing IP address of your Kerio Connect.

You may verify your records using the following commands:

dig txt _ep.radiusadvertising.com +short

dig txt radiusadvertising.com +short

Or you can use the SPF checker from Kitterman.

The following images are taken from the DNS editor of Network Solutions.

Relevant Considerations

Not all DNS hosting providers support configuration of txt type records. The previous example uses Network Solutions. Other providers such as GoDaddy may only support SPF, but not Caller ID as it uses XML data.

If you do not host your DNS, you will need to contact your DNS hosting provider to confirm that they support configuration of TXT records.

If you have defined an IP address in your records (like in this example) you will need to update this record if the IP address of your mail server changes.

If you have created your own SPF record using the wizard at openspf.org, you will probably have a ~all at the end of the line. You will need to change this to -all to force a hard failure, as Kerio Connect will not block a soft fail.

Users outside of your network will not be able to relay email through the outgoing SMTP server of their ISP if they are sending email from the email domain configured with an SPF or Caller ID record. External users should always use the Kerio Connect hosting their email domain for sending outgoing email. Some service providers may block the SMTP protocol (TCP port 25). In this case, you may specify an additional port for the SMTP service.

Back to top