It seems like your browser didn't download the required fonts. Please revise your security settings and try again.

Attention

As of March 1, 2022, the legacy Barracuda Essentials Security, Compliance, and Complete editions are no longer available for purchase. Only existing customers can renew or add users to these plans.

Following October 30, 2022, the documentation and trainings will no longer be updated and will contain outdated information.

For more information on the latest Email Protection plans, see Barracuda Email Protection.

To update your bookmarks, see the following for the latest documentation and trainings:

Note that MSP customers should continue to follow Barracuda Essentials for MSPs.

How to Configure Sender Policy Framework

  • Last updated on

If you make setting changes, allow a few minutes for the changes to take effect.

Use the steps in this article to configure Sender Policy Framework (SPF) checking for the Barracuda Email Security Service.

Important
If you have SPF checking enabled on your mail server or network, it is critical when using the Barracuda Email Security Service that you either disable SPF checking in the service or add the Barracuda Email Security Service IP ranges to your SPF exemptions based on your Barracuda Email Security Service instance; see Barracuda Email Security Service IP Ranges for a list of IP rages based on your Barracuda Email Security Service instance.

Otherwise, your SPF checker blocks mail from domains with an SPF record set to Block because the mail is coming from a Barracuda Email Security Service IP address not in the sender's SPF record.

Configure SPF for Inbound Mail

  1. Log into your Barracuda Cloud Control account, and click Email Security in the left pane.
  2. Go to the Inbound Settings > Sender Authentication page, and select from the available options in the Enable Sender Policy Framework Checking section:
    • Hard Fail – Response indicates that the message sender's IP address does not match the IP address or range of IP addresses specified in the sending domain name's SPF record, and that the real owner of the domain has specifically indicated that such messages should be rejected (blocked) as spoofed.
      • Block – Messages from a domain that fails SPF checking are blocked.
      • Quarantine – Messages from a domain that fails SPF checking are quarantined.
      • Off – When set to Off, the Barracuda Email Security Service does not query DNS for an SPF record for the sending domain to verify whether the sender is the true owner of that domain. This is the default setting.
    • Soft Fail – Response indicates that the message sender's IP address does not match the IP address or range of IP addresses specified in the sending domain name's SPF record, and that the domain owner did not specify how the message should be handled. 
      • Block – Messages from a domain that fails SPF checking are blocked.
      • Quarantine – Messages from a domain that fails SPF checking are quarantined.
      • Off – When set to Off, the Barracuda Email Security Service does not query DNS for an SPF record for the sending domain to verify whether the sender is the true owner of that domain. This is the default setting.

      When Hard Fail is set to Off, Soft Fail options are disabled.

    You can optionally enable Sender Rewriting Scheme (SRS) for a specific domain on the Domains > Domain Settings page. When enabled, the sending mail server IP address is visible to the SPF verification agent on the recipient's end. The recipient's SPF agent checks the reverse MX records for your domain and verifies your IP address as an authorized sender to ensure message delivery to the recipient.

  3. Click Save Changes.

    When Enable Sender Policy Framework Checking is set to Off, the Barracuda Email Security Services does not query DNS for an SPF record for the sending domain to verify whether the sender is the true owner of that domain. If you are concerned about domain spoofing, enable one of the SPF options.

Exempt Trusted IP Addresses from SPF Checks

You can exempt mail relay servers and other machines from SPF checks that are set up specifically to forward mail to the Barracuda Email Security Service from outside sources. Mail from these IP addresses is still scanned for spam.

  1. Log into your Barracuda Cloud Control account, and click Email Security in the left pane.
  2. Go to the Inbound Settings > Sender Authentication page, and in the Sender Policy Framework section, enter the IP Address and Netmask and optional Comment.
  3. Click Add in the Actions column, and click Save Changes.

Block on No SPF Records

You can configure what happens when senders send mail from or through mail servers whose domains lack reverse MX records, or have no SPF records.

  1. Log into your Barracuda Cloud Control account, and click Email Security in the left pane.
  2. Go to the Inbound Settings > Sender Authentication page, and select one of the following in the Block on No SPF Records section:
    • Block – If a sending domain does not have an SPF record, the mail server is blocked and mail is not delivered to the user.
    • Quarantine – If a sending domain does not have an SPF record, mail is quarantined.
    • Off – When set to Off, there is no query for any senders. This is the default setting.
  3. Click Save Changes.

Additionally, if you have known/trusted contacts that send email from or through mail servers whose domains have no SPF records, you can create exemptions for these senders to allow their mail through while still blocking mail from other mail servers that do not have SPF records.

Note that Block on No SPF Records set to Block takes precedence over DMARC.

Configure SPF for Outbound Mail

To assure outbound mail from your Barracuda Email Security Service that Barracuda Networks is the authorized sending mail service, add the following to the SPF record INCLUDE line for each domain sending outbound mail based on your Barracuda Email Security Service instance:

AU (Australia)
include:spf.ess.au.barracudanetworks.com -all
CA (Canada)
include:spf.ess.ca.barracudanetworks.com -all
DE (Germany)
include:spf.ess.de.barracudanetworks.com -all
UK (United Kingdom)
include:spf.ess.uk.barracudanetworks.com -all
US (United States)
include:spf.ess.barracudanetworks.com -all