Cisco Cisco Email Security Appliance C160 Mode D'Emploi

18-21

Cisco AsyncOS 8.5 for Email User Guide

Chapter 18 Email Authentication

How to Verify Incoming Messages Using SPF/SDIF

SIDF does not verify the HELO identity, so in this case, you do not need to publish SPF v2.0 records for
each sending MTA.

Note

If you choose not to support SIDF, publish an “spf2.0/pra ~all” record.

Testing Your SPF Records

In addition to reviewing the RFCs, it is a good idea to test your SPF records before you implement SPF
verification on an Email Security appliance. There are several testing tools available on the openspf.org
website:

http://www.openspf.org/Tools

You can use the following tool to determine why an email failed an SPF record check:

http://www.openspf.org/Why

In addition, you can enable SPF on a test listener and use Cisco’s

trace

CLI command (or perform trace

from the GUI) to view the SPF results. Using trace, you can easily test different sending IPs.

How to Verify Incoming Messages Using SPF/SDIF

Warning

Although Cisco strongly endorses email authentication globally, at this point in the industry's
adoption, Cisco suggests a cautious disposition for SPF/SIDF authentication failures. Until more
organizations gain greater control of their authorized mail sending infrastructure, Cisco urges
customers to avoid bouncing emails and instead quarantine emails that fail SPF/SIDF verification.

Table 18-2

How to Verify Incoming Messages Using SPF/SDIF

Do This

More Info

Step 1

(Optional) Create a custom mail flow policy to
use for verifying incoming messages using
SPF/SDIF.

Defining Rules for Incoming Messages Using
Policy, page 7-14

Step 2

Configure your mail flow policies to verify
incoming messages using SPF/SDIF.

Enabling SPF and SIDF, page 18-22

Step 3

Define the action that the Email Security
appliance takes on verified messages.