Cisco Cisco Email Security Appliance C170 Guia Do Utilizador
18-20
Cisco AsyncOS 8.5 for Email User Guide
Chapter 18 Email Authentication
Overview of SPF and SIDF Verification
Overview of SPF and SIDF Verification
AsyncOS supports Sender Policy Framework (SPF) and Sender ID Framework (SIDF) verification. SPF
and SIDF are methods for verifying authenticity of email based on DNS records. SPF and SIDF allow
the owner of an Internet domain to use a special format of DNS TXT records to specify which machines
are authorized to transmit email for that domain. Compliant mail receivers then use the published SPF
records to test the authorization of the sending Mail Transfer Agent’s identity during a mail transaction.
and SIDF are methods for verifying authenticity of email based on DNS records. SPF and SIDF allow
the owner of an Internet domain to use a special format of DNS TXT records to specify which machines
are authorized to transmit email for that domain. Compliant mail receivers then use the published SPF
records to test the authorization of the sending Mail Transfer Agent’s identity during a mail transaction.
When you use SPF/SIDF authentication, the senders publish SPF records specifying which hosts are
permitted to use their names, and compliant mail receivers use the published SPF records to test the
authorization of the sending Mail Transfer Agent’s identity during a mail transaction.
permitted to use their names, and compliant mail receivers use the published SPF records to test the
authorization of the sending Mail Transfer Agent’s identity during a mail transaction.
Note
Because SPF checks require parsing and evaluation, AsyncOS performance may be impacted. In
addition, be aware that SPF checks increase the load on your DNS infrastructure.
addition, be aware that SPF checks increase the load on your DNS infrastructure.
When you work with SPF and SIDF, note that SIDF is similar to SPF, but it has some differences. To get
a full description of the differences between SIDF and SPF, see RFC
a full description of the differences between SIDF and SPF, see RFC
4406. F
or the purposes of this
documentation, the two terms are discussed together except in the cases where only one type of
verification applies.
verification applies.
Note
AsyncOS does not support SPF for incoming relays.
A Note About Valid SPF Records
To use SPF and SIDF with a appliance, publish the SPF record according to the RFCs 4406 and 4408.
Review RFC 4407 for a definition of how the PRA identity is determined. You may also want to refer to
the following website to view common mistakes made when creating SPF and SIDF records:
Review RFC 4407 for a definition of how the PRA identity is determined. You may also want to refer to
the following website to view common mistakes made when creating SPF and SIDF records:
http://www.openspf.org/FAQ/Common_mistakes
Valid SPF Records
To pass the SPF HELO check, ensure that you include a “v=spf1 a –all” SPF record for each sending
MTA (separate from the domain). If you do not include this record, the HELO check will likely result in
a None verdict for the HELO identity. If you notice that SPF senders to your domain return a high
number of None verdicts, these senders may not have included a “v=spf1 a –all” SPF record for each
sending MTA.
MTA (separate from the domain). If you do not include this record, the HELO check will likely result in
a None verdict for the HELO identity. If you notice that SPF senders to your domain return a high
number of None verdicts, these senders may not have included a “v=spf1 a –all” SPF record for each
sending MTA.
Valid SIDF Records
To support the SIDF framework, you need to publish both “v=spf1” and “spf2.0” records. For example,
your DNS record may look like the following example:
your DNS record may look like the following example:
example.com. TXT "v=spf1 +mx a:colo.example.com/28 -all"
smtp-out.example.com TXT "v=spf1 a -all"
example.com. TXT "spf2.0/mfrom,pra +mx a:colo.example.com/28 -all"