We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.

How should I configure SPF checking on the Email Security Gateway?

  • Type: Knowledgebase
  • Date changed: 10 months ago
Solution #00002846

All Email Security Gateways, firmware versions 3.5.12 and above.

SPF is an acronym for Sender Policy Framework. SPF allows an email recipient to verify that an email message was sent from an IP address that is valid for the domain. SPF works by comparing the domain in the sender's email address with SPF records stored in DNS. This ensure that the domain owner controls the list of valid IP addresses.

To enable SPF on your Email Security Gateway, go to the Block/Accept > Sender Authentication page and set the Sender Policy Framework (SPF) option to either SPF Only or Yes. You then have the option to either tag or block emails that fail SPF inspection; Barracuda Networks recommends you tag for SPF, rather than block.

A list of IP addresses may be exempted from SPF checking with the Trusted Forwarder IP feature on either the Basic > IP Configuration or Block/Accept > Sender Authentication page. Any IP address in this list will be ignored when performing SPF checks. This may be necessary to protect against blocking valid emails redirected by email forwarding services.

The Email Security Gateway's SPF checking will perform a TXT DNS record lookup for the sender's domain and determine whether the SPF records listed there contain the IP address of the actual sending email server. SPF records can be viewed by searching for the TXT DNS record for any given domain. For example, at time of writing, the SPF record for Barracuda Networks is as follows:

barracuda.com. 3600 IN TXT "v=spf1 ptr dom=barracuda.com a:mail mx:all ip4: ip4: ip4: ip4: ip4: ip4: ~all"

This means that, if SPF is enabled, only senders from any of the IP addresses listed in the TXT DNS record, or any other DNS records, will pass the SPF test. These include all PTR and MX records for the domain in question as well. The last argument in the example above, ~all, means that all other IPs not found in the first several groups are not allowed to send mail using the domain of barracuda.com.

The ~ (tilde) symbol means soft fail, and, conversely, the - (dash) symbol is used to indicate an absolute or hard fail. At time of writing, the Email Security Gateway will allow soft fail SPF record entries and only block hard fail entries. This means that any illegitimate mail claiming to come from a domain whose SPF record contains the ~all option will not be blocked by the Email Security Gateway, while any illegitimate mail claiming to come from any domain whose SPF record contains the -all option will be blocked for SPF violation.

Further more, if a domain being checked from the BSF has NO SPF record, or a neutral record.. the Email Security Gateway will NOT do anything with this.. and just pass it on.

For more information on SPF, please visit openspf.org.

Additional Notes:
Email forwarding services can cause false positive events when a domain has published SPF records. For example, take a user with a web-based email account set up to forward mail to a business email address. If that user receives an email from microsoft.com, which would then be redirected to his company email address, this would break the SPF checking on his company's email server because the sending domain is microsoft.com and the sending IP address belongs to the forwarding service (which would not be listed in microsoft.com's SPF record as an IP address allowed to send microsoft.com email).

In firmware versions 3.5.10 and 3.5.11, the SPF options are configured on the Advanced > Email Protocol page. In firmware version 3.5.12, they were moved to the Block/Accept > Sender Authentication page.

Link to This Page: