Cisco Cisco Email Security Appliance C380 Mode D'Emploi
Chapter 5 Email Authentication
5-26
Cisco IronPort AsyncOS 7.5 for Email Advanced Configuration Guide
OL-25137-01
Valid SPF Records
To pass the SPF HELO check, ensure that you include a “v=spf1 a –all” SPF
record for each sending MTA (separate from the domain). If you do not include
this record, the HELO check will likely result in a None verdict for the HELO
identity. If you notice that SPF senders to your domain return a high number of
None verdicts, these senders may not have included a “v=spf1 a –all” SPF record
for each sending MTA.
record for each sending MTA (separate from the domain). If you do not include
this record, the HELO check will likely result in a None verdict for the HELO
identity. If you notice that SPF senders to your domain return a high number of
None verdicts, these senders may not have included a “v=spf1 a –all” SPF record
for each sending MTA.
Valid SIDF Records
To support the SIDF framework, you need to publish both “v=spf1” and “spf2.0”
records. For example, your DNS record may look like the following example:
records. For example, your DNS record may look like the following example:
SIDF does not verify the HELO identity, so in this case, you do not need to publish
SPF v2.0 records for each sending MTA.
SPF v2.0 records for each sending MTA.
Note
If you choose not to support SIDF, publish an “spf2.0/pra ~all” record.
Testing Your SPF Records
In addition to reviewing the RFCs, it is a good idea to test your SPF records before
you implement SPF verification on an IronPort appliance. There are several
testing tools available on the openspf.org website:
you implement SPF verification on an IronPort appliance. There are several
testing tools available on the openspf.org website:
http://www.openspf.org/Tools
You can use the following tool to determine why an email failed an SPF record
check:
check:
http://www.openspf.org/Why
In addition, you can enable SPF on a test listener and use IronPort’s
trace
CLI
command (or perform trace from the GUI) to view the SPF results. Using trace,
you can easily test different sending IPs.
you can easily test different sending IPs.
example.com. TXT "v=spf1 +mx a:colo.example.com/28 -all"
smtp-out.example.com TXT "v=spf1 a -all"
example.com. TXT "spf2.0/mfrom,pra +mx a:colo.example.com/28 -all"