Cisco Cisco Email Security Appliance C160 Guía Del Usuario
19-21
Cisco AsyncOS 8.5.5 for Email Security User Guide
Chapter 19 Email Authentication
How to Verify Incoming Messages Using SPF/SDIF
SIDF does not verify the HELO identity, so in this case, you do not need to publish SPF v2.0 records for
each sending MTA.
each sending MTA.
Note
If you choose not to support SIDF, publish an “spf2.0/pra ~all” record.
Testing Your SPF Records
In addition to reviewing the RFCs, it is a good idea to test your SPF records before you implement SPF
verification on an Email Security appliance. There are several testing tools available on the openspf.org
website:
verification on an Email Security appliance. There are several testing tools available on the openspf.org
website:
http://www.openspf.org/Tools
You can use the following tool to determine why an email failed an SPF record check:
http://www.openspf.org/Why
In addition, you can enable SPF on a test listener and use Cisco’s
trace
CLI command (or perform trace
from the GUI) to view the SPF results. Using trace, you can easily test different sending IPs.
How to Verify Incoming Messages Using SPF/SDIF
Warning
Although Cisco strongly endorses email authentication globally, at this point in the industry's
adoption, Cisco suggests a cautious disposition for SPF/SIDF authentication failures. Until more
organizations gain greater control of their authorized mail sending infrastructure, Cisco urges
customers to avoid bouncing emails and instead quarantine emails that fail SPF/SIDF verification.
adoption, Cisco suggests a cautious disposition for SPF/SIDF authentication failures. Until more
organizations gain greater control of their authorized mail sending infrastructure, Cisco urges
customers to avoid bouncing emails and instead quarantine emails that fail SPF/SIDF verification.
Note
The AsyncOS command line interface (CLI) provides more control settings for SPF level than the web
interface. Based on the SPF verdict, the appliance can accept or reject a message, in SMTP conversation,
on a per listener basis. You can modify the SPF settings when editing the default settings for a listener’s
Host Access Table using the
interface. Based on the SPF verdict, the appliance can accept or reject a message, in SMTP conversation,
on a per listener basis. You can modify the SPF settings when editing the default settings for a listener’s
Host Access Table using the
listenerconfig
command. See the
Table 19-2
How to Verify Incoming Messages Using SPF/SDIF
Do This
More Info
Step 1
(Optional) Create a custom mail flow policy to
use for verifying incoming messages using
SPF/SDIF.
use for verifying incoming messages using
SPF/SDIF.
Step 2
Configure your mail flow policies to verify
incoming messages using SPF/SDIF.
incoming messages using SPF/SDIF.
Step 3
Define the action that the Email Security
appliance takes on verified messages.
appliance takes on verified messages.
.
Step 4
Associate the action with groups of specific
senders or recipients.
senders or recipients.
Step 5
(Optional) Test the results of message
verification.
verification.