Cisco Cisco Email Security Appliance C160 Mode D'Emploi

To pass the SPF HELO check, ensure that you include a “v=spf1 a –all” SPF 
record for each sending MTA (separate from the domain). If you do not include 
this record, the HELO check will likely result in a None verdict for the HELO 
identity. If you notice that SPF senders to your domain return a high number of 
None verdicts, these senders may not have included a “v=spf1 a –all” SPF record 
for each sending MTA.

To support the SIDF framework, you need to publish both “v=spf1” and “spf2.0” 
records. For example, your DNS record may look like the following example:

SIDF does not verify the HELO identity, so in this case, you do not need to publish 
SPF v2.0 records for each sending MTA. 

If you choose not to support SIDF, publish an “spf2.0/pra ~all” record. 

In addition to reviewing the RFCs, it is a good idea to test your SPF records before 
you implement SPF verification on an IronPort appliance. There are several 
testing tools available on the openspf.org website:

http://www.openspf.org/Tools

You can use the following tool to determine why an email failed an SPF record 
check:

http://www.openspf.org/Why

In addition, you can enable SPF on a test listener and use IronPort’s 

trace 

CLI 

command (or perform trace from the GUI) to view the SPF results. Using trace, 
you can easily test different sending IPs.

example.com. TXT "v=spf1 +mx a:colo.example.com/28 -all"

smtp-out.example.com TXT "v=spf1 a -all"

example.com. TXT "spf2.0/mfrom,pra +mx a:colo.example.com/28 -all"