Cisco Cisco Email Security Appliance X1050 Guía Del Usuario
22-23
User Guide for AsyncOS 10.0 for Cisco Email Security Appliances
Chapter 22 Email Authentication
How to Verify Incoming Messages Using SPF/SDIF
Valid SPF Records
To pass the SPF HELO check, ensure that you include a “v=spf1 a –all” SPF record for each sending
MTA (separate from the domain). If you do not include this record, the HELO check will likely result in
a None verdict for the HELO identity. If you notice that SPF senders to your domain return a high
number of None verdicts, these senders may not have included a “v=spf1 a –all” SPF record for each
sending MTA.
MTA (separate from the domain). If you do not include this record, the HELO check will likely result in
a None verdict for the HELO identity. If you notice that SPF senders to your domain return a high
number of None verdicts, these senders may not have included a “v=spf1 a –all” SPF record for each
sending MTA.
Valid SIDF Records
To support the SIDF framework, you need to publish both “v=spf1” and “spf2.0” records. For example,
your DNS record may look like the following example:
your DNS record may look like the following example:
SIDF does not verify the HELO identity, so in this case, you do not need to publish SPF v2.0 records for
each sending MTA.
each sending MTA.
Note
If you choose not to support SIDF, publish an “spf2.0/pra ~all” record.
Testing Your SPF Records
In addition to reviewing the RFCs, it is a good idea to test your SPF records before you implement SPF
verification on an Email Security appliance. There are several testing tools available on the openspf.org
website:
verification on an Email Security appliance. There are several testing tools available on the openspf.org
website:
http://www.openspf.org/Tools
You can use the following tool to determine why an email failed an SPF record check:
http://www.openspf.org/Why
In addition, you can enable SPF on a test listener and use Cisco’s
trace
CLI command (or perform trace
from the GUI) to view the SPF results. Using trace, you can easily test different sending IPs.
How to Verify Incoming Messages Using SPF/SDIF
example.com. TXT "v=spf1 +mx a:colo.example.com/28 -all"
smtp-out.example.com TXT "v=spf1 a -all"
example.com. TXT "spf2.0/mfrom,pra +mx a:colo.example.com/28 -all"
Do This
More Info
Step 1
(Optional) Create a custom mail flow policy to
use for verifying incoming messages using
SPF/SDIF.
use for verifying incoming messages using
SPF/SDIF.
Step 2
Configure your mail flow policies to verify
incoming messages using SPF/SDIF.
incoming messages using SPF/SDIF.
Step 3
Define the action that the Email Security
appliance takes on verified messages.
appliance takes on verified messages.