Cisco Cisco Email Security Appliance C160 Mode D'Emploi

To support the SIDF framework, you need to publish both “v=spf1” and “spf2.0” records. For example, 
your DNS record may look like the following example:

SIDF does not verify the HELO identity, so in this case, you do not need to publish SPF v2.0 records for 
each sending MTA. 

If you choose not to support SIDF, publish an “spf2.0/pra ~all” record. 

In addition to reviewing the RFCs, it is a good idea to test your SPF records before you implement SPF 
verification on an Email Security appliance. There are several testing tools available on the openspf.org 
website:

http://www.openspf.org/Tools

You can use the following tool to determine why an email failed an SPF record check:

http://www.openspf.org/Why

In addition, you can enable SPF on a test listener and use Cisco’s 

trace 

CLI command (or perform trace 

from the GUI) to view the SPF results. Using trace, you can easily test different sending IPs.

example.com. TXT "v=spf1 +mx a:colo.example.com/28 -all"

smtp-out.example.com TXT "v=spf1 a -all"

example.com. TXT "spf2.0/mfrom,pra +mx a:colo.example.com/28 -all"

(Optional) Create a custom mail flow policy to 
use for verifying incoming messages using 
SPF/SDIF.

Configure your mail flow policies to verify 
incoming messages using SPF/SDIF.

Define the action that the Email Security 
appliance takes on verified messages.

.

Associate the action with groups of specific 
senders or recipients.

(Optional) Test the results of message 
verification.