Cisco Cisco Email Security Appliance C160 Mode D'Emploi
5-23
Cisco IronPort AsyncOS 7.6 for Email Advanced Configuration Guide
OL-25137-01
Chapter 5 Email Authentication
SIDF does not verify the HELO identity, so in this case, you do not need to publish SPF v2.0 records for
each sending MTA.
each sending MTA.
Note
If you choose not to support SIDF, publish an “spf2.0/pra ~all” record.
Testing Your SPF Records
In addition to reviewing the RFCs, it is a good idea to test your SPF records before you implement SPF
verification on a Cisco IronPort appliance. There are several testing tools available on the openspf.org
website:
verification on a Cisco IronPort appliance. There are several testing tools available on the openspf.org
website:
http://www.openspf.org/Tools
You can use the following tool to determine why an email failed an SPF record check:
http://www.openspf.org/Why
In addition, you can enable SPF on a test listener and use Cisco’s
trace
CLI command (or perform trace
from the GUI) to view the SPF results. Using trace, you can easily test different sending IPs.
Working with SPF on a Cisco IronPort Email Security Appliance
To use SPF/SIDF on a Cisco IronPort appliance, complete the following steps:
Step 1
Enable SPF/SIDF. You enable SPF/SIDF on an incoming listener from the default mail flow policy, or
you can enable it for different incoming mail flow policies. For more information, see
you can enable it for different incoming mail flow policies. For more information, see
.
Step 2
Configure actions to take on SPF/SIDF-verified mail. You can use message or content filters to
determine actions to take for SPF-verified mail. For more information, see
determine actions to take for SPF-verified mail. For more information, see
Step 3
Test the SPF/SIDF results. Because organizations use different email authorization methods, and each
organization may use SPF/SIDF differently (for example, the SPF or SIDF policy may conform to
different standards), you need to test the SPF/SIDF results to ensure that you do not bounce or drop
emails from authorized senders. You can test the SPF/SIDF results by using a combination of content
filters, message filters, and the Content Filters report. For more information about testing the SPF/SIDF
results, see
organization may use SPF/SIDF differently (for example, the SPF or SIDF policy may conform to
different standards), you need to test the SPF/SIDF results to ensure that you do not bounce or drop
emails from authorized senders. You can test the SPF/SIDF results by using a combination of content
filters, message filters, and the Content Filters report. For more information about testing the SPF/SIDF
results, see
.
Warning
Although Cisco strongly endorses email authentication globally, at this point in the industry's
adoption, Cisco suggests a cautious disposition for SPF/SIDF authentication failures. Until more
organizations gain greater control of their authorized mail sending infrastructure, Cisco urges
customers to avoid bouncing emails and instead quarantine emails that fail SPF/SIDF verification.
adoption, Cisco suggests a cautious disposition for SPF/SIDF authentication failures. Until more
organizations gain greater control of their authorized mail sending infrastructure, Cisco urges
customers to avoid bouncing emails and instead quarantine emails that fail SPF/SIDF verification.
The AysncOS command line interface (CLI) provides more control settings for SPF level than the web
interface. Based on the SPF verdict, the appliance can accept or reject a message, in SMTP conversation,
on a per listener basis. You can modify the SPF settings when editing the default settings for a listener’s
Host Access Table using the
interface. Based on the SPF verdict, the appliance can accept or reject a message, in SMTP conversation,
on a per listener basis. You can modify the SPF settings when editing the default settings for a listener’s
Host Access Table using the
listenerconfig
command. See the
for more information on the settings.