Cisco Cisco Email Security Appliance C160 Mode D'Emploi
17-23
Cisco AsyncOS 8.0.2 for Email User Guide
Chapter 17 Email Authentication
Enabling SPF and SIDF
Step 5
Set the level of conformance (the default is SIDF-compatible). This option allows you to determine
which standard of SPF or SIDF verification to use. In addition to SIDF conformance, you can choose
SIDF-compatible, which combines SPF and SIDF.
which standard of SPF or SIDF verification to use. In addition to SIDF conformance, you can choose
SIDF-compatible, which combines SPF and SIDF.
Note
More settings are available via the CLI. See
for
more information.
Step 6
If you choose a conformance level of SIDF-compatible, configure whether the verification downgrades
a Pass result of the PRA identity to None if there are Resent-Sender: or Resent-From: headers present in
the message. You might choose this option for security purposes.
a Pass result of the PRA identity to None if there are Resent-Sender: or Resent-From: headers present in
the message. You might choose this option for security purposes.
Step 7
If you choose a conformance level of SPF, configure whether to perform a test against the HELO identity.
You might use this option to improve performance by disabling the HELO check. This can be useful
because the
You might use this option to improve performance by disabling the HELO check. This can be useful
because the
spf-passed
filter rule checks the PRA or the MAIL FROM Identities first. The appliance
only performs the HELO check for the SPF conformance level.
Enabling SPF and SIDF via the CLI
The AsyncOS CLI supports more control settings for each SPF/SIDF conformance level. When
configuring the default settings for a listener’s Host Access Table, you can choose the listener’s
SPF/SIDF conformance level and the SMTP actions (ACCEPT or REJECT) that the appliance performs,
based on the SPF/SIDF verification results. You can also define the SMTP response that the appliance
sends when it rejects a message.
configuring the default settings for a listener’s Host Access Table, you can choose the listener’s
SPF/SIDF conformance level and the SMTP actions (ACCEPT or REJECT) that the appliance performs,
based on the SPF/SIDF verification results. You can also define the SMTP response that the appliance
sends when it rejects a message.
Table 17-3
SPF/SIDF Conformance Levels
Conformance Level
Description
SPF
The SPF/SIDF verification behaves according to RFC4408.
- No purported responsible address (PRA) identity verification takes
place.
place.
NOTE: Select this conformance option to test against the HELO
identity.
identity.
SIDF
The SPF/SIDF verification behaves according to RFC4406.
-The PRA Identity is determined with full conformance to the standard.
- SPF v1.0 records are treated as spf2.0/mfrom,pra.
- For a nonexistent domain or a malformed identity, a verdict of Fail is
returned.
returned.
SIDF Compatible
The SPF/SIDF verification behaves according to RFC4406 except for
the following differences:
the following differences:
- SPF v1.0 records are treated as spf2.0/mfrom.
- For a nonexistent domain or a malformed identity, a verdict of None is
returned.
returned.
NOTE: This conformance option was introduced at the request of the
OpenSPF community (www.openspf.org).
OpenSPF community (www.openspf.org).