Cisco Cisco Email Security Appliance C650 Guía Del Usuario
5-22
Cisco IronPort AsyncOS 7.6 for Email Advanced Configuration Guide
OL-25137-01
Chapter 5 Email Authentication
Overview of SPF and SIDF Verification
Cisco IronPort AsyncOS supports Sender Policy Framework (SPF) and Sender ID Framework (SIDF)
verification. SPF and SIDF are methods for verifying authenticity of email based on DNS records. SPF
and SIDF allow the owner of an Internet domain to use a special format of DNS TXT records to specify
which machines are authorized to transmit email for that domain.
verification. SPF and SIDF are methods for verifying authenticity of email based on DNS records. SPF
and SIDF allow the owner of an Internet domain to use a special format of DNS TXT records to specify
which machines are authorized to transmit email for that domain.
When you use SPF/SIDF authentication, the senders publish SPF records specifying which hosts are
permitted to use their names, and compliant mail receivers use the published SPF records to test the
authorization of the sending Mail Transfer Agent’s identity during a mail transaction.
permitted to use their names, and compliant mail receivers use the published SPF records to test the
authorization of the sending Mail Transfer Agent’s identity during a mail transaction.
Note
Because SPF checks require parsing and evaluation, AsyncOS performance may be impacted. In
addition, be aware that SPF checks increase the load on your DNS infrastructure.
addition, be aware that SPF checks increase the load on your DNS infrastructure.
When you work with SPF and SIDF, note that SIDF is similar to SPF, but it has some differences. To get
a full description of the differences between SIDF and SPF, see RFC
a full description of the differences between SIDF and SPF, see RFC
4406. F
or the purposes of this
documentation, the two terms are discussed together except in the cases where only one type of
verification applies.
verification applies.
Note
AsyncOS does not support SPF for incoming relays, and AsyncOS does not support SPF for IPv6.
A Note About Valid SPF Records
To use SPF and SIDF with a Cisco IronPort appliance, publish the SPF record according to the RFCs
4406 and 4408. Review RFC 4407 for a definition of how the PRA identity is determined. You may also
want to refer to the following website to view common mistakes made when creating SPF and SIDF
records:
4406 and 4408. Review RFC 4407 for a definition of how the PRA identity is determined. You may also
want to refer to the following website to view common mistakes made when creating SPF and SIDF
records:
http://www.openspf.org/FAQ/Common_mistakes
Valid SPF Records
To pass the SPF HELO check, ensure that you include a “v=spf1 a –all” SPF record for each sending
MTA (separate from the domain). If you do not include this record, the HELO check will likely result in
a None verdict for the HELO identity. If you notice that SPF senders to your domain return a high
number of None verdicts, these senders may not have included a “v=spf1 a –all” SPF record for each
sending MTA.
MTA (separate from the domain). If you do not include this record, the HELO check will likely result in
a None verdict for the HELO identity. If you notice that SPF senders to your domain return a high
number of None verdicts, these senders may not have included a “v=spf1 a –all” SPF record for each
sending MTA.
Valid SIDF Records
To support the SIDF framework, you need to publish both “v=spf1” and “spf2.0” records. For example,
your DNS record may look like the following example:
your DNS record may look like the following example:
example.com. TXT "v=spf1 +mx a:colo.example.com/28 -all"
smtp-out.example.com TXT "v=spf1 a -all"
example.com. TXT "spf2.0/mfrom,pra +mx a:colo.example.com/28 -all"