Руководство Пользователя для Cisco Cisco Email Security Appliance C160
19-22
Cisco AsyncOS 8.5.6 for Email User Guide
Chapter 19 Email Authentication
Overview of SPF and SIDF Verification
When you work with SPF and SIDF, note that SIDF is similar to SPF, but it has some differences. To get
a full description of the differences between SIDF and SPF, see RFC
a full description of the differences between SIDF and SPF, see RFC
4406. F
or the purposes of this
documentation, the two terms are discussed together except in the cases where only one type of
verification applies.
verification applies.
Note
AsyncOS does not support SPF for incoming relays.
Related Topics
•
A Note About Valid SPF Records
To use SPF and SIDF with a appliance, publish the SPF record according to the RFCs 4406 and 4408.
Review RFC 4407 for a definition of how the PRA identity is determined. You may also want to refer to
the following website to view common mistakes made when creating SPF and SIDF records:
Review RFC 4407 for a definition of how the PRA identity is determined. You may also want to refer to
the following website to view common mistakes made when creating SPF and SIDF records:
http://www.openspf.org/FAQ/Common_mistakes
Related Topics
•
•
•
Valid SPF Records
To pass the SPF HELO check, ensure that you include a “v=spf1 a –all” SPF record for each sending
MTA (separate from the domain). If you do not include this record, the HELO check will likely result in
a None verdict for the HELO identity. If you notice that SPF senders to your domain return a high
number of None verdicts, these senders may not have included a “v=spf1 a –all” SPF record for each
sending MTA.
MTA (separate from the domain). If you do not include this record, the HELO check will likely result in
a None verdict for the HELO identity. If you notice that SPF senders to your domain return a high
number of None verdicts, these senders may not have included a “v=spf1 a –all” SPF record for each
sending MTA.
Valid SIDF Records
To support the SIDF framework, you need to publish both “v=spf1” and “spf2.0” records. For example,
your DNS record may look like the following example:
your DNS record may look like the following example:
SIDF does not verify the HELO identity, so in this case, you do not need to publish SPF v2.0 records for
each sending MTA.
each sending MTA.
Note
If you choose not to support SIDF, publish an “spf2.0/pra ~all” record.
example.com. TXT "v=spf1 +mx a:colo.example.com/28 -all"
smtp-out.example.com TXT "v=spf1 a -all"
example.com. TXT "spf2.0/mfrom,pra +mx a:colo.example.com/28 -all"