How to Configure Sender Policy Framework

Last updated on 2025-12-12 11:53:15

If you make setting changes, allow a few minutes for the changes to take effect.

Use the steps in this article to configure Sender Policy Framework (SPF) checking for Email Gateway Defense.

Configure SPF for Inbound Mail

Log in to your Barracuda Cloud Control account, and click Email Gateway Defense in the left pane.
Go to the Inbound Settings > Sender Authentication page, and select from the available options in the Enable Sender Policy Framework Checking section:
- SPF Hard Fail
  - Off – No action taken on hard fail.
  - Quarantine – Messages with SPF hard fail are quarantined.
  - Block – Messages with SPF hard fail are blocked. This is the default setting.
- SPF Soft Fail
  - Off – No action taken on soft fail. This is the default setting.
  - Quarantine – Messages with SPF soft fail are quarantined.
  - Block – Messages with SPF soft fail are blocked.
Click Save Changes.

Exempt Trusted IP Addresses and Domains from SPF Checks

You can exempt mail relay servers and other machines from SPF checks. Mail from these IP addresses and domains is still scanned for spam.

Exemptions reduce protection and increase the risk of spoofing.

Log in to your Barracuda Cloud Control account, and click Email Gateway Defense in the left pane.
Go to the Inbound Settings > Sender Authentication page, and in the Enable Sender Policy Framework (SPF) Checking section, use one or both of the following:
- SPF Exemptions by IP Address – Enter the IP Address and Netmask and optional Comment.
- SPF Exemptions by Domain – Enter the Domain and optional Comment.
  Note: Usage requires exact matching after the @ sign. For example, domain.com will not work for sub.domain.com. You must create a separate entry for sub.domain.com.
Alternatively, use the Bulk Edit button.
Click Add in the Actions column, and click Save changes at the top right.

Block on No SPF Records

You can configure what happens when senders send mail from or through mail servers whose domains lack an SPF record.

Log in to your Barracuda Cloud Control account, and click Email Gateway Defense in the left pane.
Go to the Inbound Settings > Sender Authentication page, and select one of the following in the Block on No SPF Records section:
- Off – No action taken if the domain lacks an SPF record. This is the default setting.
- Quarantine – Messages from domains without SPF records are quarantined.
- Block – Messages from domains without SPF records are blocked.
Click Save changes at the top right.

Additionally, if you have known/trusted contacts that send email from or through mail servers whose domains have no SPF records, you can create exemptions for these senders to allow their mail through while still blocking mail from other mail servers that do not have SPF records.

Notes:

DMARC evaluation takes precedence over all independent sender authentication checks (SPF, DKIM, and related policies).

If a domain’s DMARC policy is in enforcement mode (reject or quarantine), that policy determines the final action, regardless of SPF or DKIM results or exemptions.

Configure SPF for Outbound Mail

To assure outbound mail from Email Gateway Defense that Barracuda Networks is the authorized sending mail service, add the following to the SPF record INCLUDE line for each domain sending outbound mail based on your Barracuda Networks instance.

For more information, see Email Gateway Defense Outbound IP Ranges.

AU (Australia)

include:spf.ess.au.barracudanetworks.com -all

CA (Canada)

include:spf.ess.ca.barracudanetworks.com -all

DE (Germany)

include:spf.ess.de.barracudanetworks.com -all

IN (India)

include:spf.ess.in.barracudanetworks.com -all

UK (United Kingdom)

include:spf.ess.uk.barracudanetworks.com -all

US (United States)

include:spf.ess.barracudanetworks.com -all