Cisco Cisco Email Security Appliance C160 Mode D'Emploi

To use SPF/SIDF, you must enable SPF/SIDF for a mail flow policy on an incoming listener. You can 
enable SPF/SIDF on the listener from the default mail flow policy, or you can enable it for particular 
incoming mail flow policies. 

Choose Mail Policies > Mail Flow Policy.

Click Default Policy Parameters.

In the default policy parameters, view the Security Features section.

In the SPF/SIDF Verification section, click On..

Set the level of conformance (the default is SIDF-compatible). This option allows you to determine 
which standard of SPF or SIDF verification to use. In addition to SIDF conformance, you can choose 
SIDF-compatible, which combines SPF and SIDF.

More settings are available via the CLI. See 

 for 

more information.

If you choose a conformance level of SIDF-compatible, configure whether the verification downgrades 
a Pass result of the PRA identity to None if there are Resent-Sender: or Resent-From: headers present in 
the message. You might choose this option for security purposes.

SPF

The SPF/SIDF verification behaves according to RFC4408.

- No purported responsible address (PRA) identity verification takes 
place.

NOTE: Select this conformance option to test against the HELO 
identity.

SIDF

The SPF/SIDF verification behaves according to RFC4406.

-The PRA Identity is determined with full conformance to the standard.

- SPF v1.0 records are treated as spf2.0/mfrom,pra.

- For a nonexistent domain or a malformed identity, a verdict of Fail is 
returned.

SIDF Compatible

The SPF/SIDF verification behaves according to RFC4406 except for 
the following differences:

- SPF v1.0 records are treated as spf2.0/mfrom.

- For a nonexistent domain or a malformed identity, a verdict of None is 
returned.

NOTE: This conformance option was introduced at the request of the 
OpenSPF community (www.openspf.org).