We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Email Security Gateway

how to read the headers of mail when checking for SPF issues?

  • Type: Knowledgebase
  • Date changed: 2 years ago
Solution #00007134  

Scope:
Barracuda Spam Firewall, All Firmware Versions.

Answer:

Often when checking the message headers you may find no SPF line even though you have SPF checking enabled. This does not mean the Barracuda device did not check for SPF. Starting with v7 of the firmware the Barracuda Spam Firewall only add the Received-SPF line when the check fails or errors our. If the SPF check passed Barracuda does NOT add the Received-SPF line.

If your message has the "Received-SPF: Pass" in the v7 or above firmware it was added by a device before the Barracuda.

Below are the received lines ONLY from a message with two SPF checks. The lines are in the order they appear in the message header.

When reading the received lines in the header you do this:

The actual "server" received lines you read from the BOTTOM to the TOP of the header to find the path the message took.

The "spf" received lines you read from the TOP to the BOTTOM of the header to see which SPF test ran last..

In this case the last "server" received line shows the message came to the Barracuda from IP 207.46.163.184

When the Barracuda checked that IP address for SPF it failed.

The "spf" received line that passed was added by another server (probably the one at IP 10.173.161.153 in this example). Looking at the "server" received lines you can see that this mail was routed through a lot of servers by the sender and finally ended up being sent to the Barracuda by an IP that is currently NOT in their SPF record.

This is something to watch out for when working investigating SPF issues.

============ RECEIVED LINES BELOW ============

(domain name have been masked to protect the innocent)

Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0184.outbound.protection.outlook.com [207.46.163.184]) by filter.xxxxxxxx.edu with ESMTP id CWHyXkrsDpkuheG3 for <ZUBAH.KPANAKU@xxxxxxxx.EDU>; Wed, 08 Apr 2015 16:54:07 -0500 (CDT)
Received-SPF: Pass (protection.outlook.com: domain of bounce.sendtax.yyyyyyyy.com designates 64.132.92.185 as permitted sender) receiver=protection.outlook.com; client-ip=64.132.92.185; helo=mta2.sendtax.yyyyyyyy.com;
Received: from BL2FFO11FD032.protection.gbl (10.173.160.33) by BL2FFO11HUB053.protection.gbl (10.173.161.153) with Microsoft SMTP Server (TLS) id 15.1.136.16; Wed, 8 Apr 2015 21:54:06 +0000
Received: from mta2.sendtax.yyyyyyyy.com (64.132.92.185) by BL2FFO11FD032.mail.protection.outlook.com (10.173.160.73) with Microsoft SMTP Server id 15.1.136.16 via Frontend Transport; Wed, 8 Apr 2015 21:54:06 +0000
Received: by mta2.sendtax.yyyyyyyy.com id h4mhns163hsg for <ZUBAH.KPANAKU@xxxxxxx.EDU>; Wed, 8 Apr 2015 15:54:05 -0600 (envelope-from <bounce-1500758_HTML-1071492136-25634245-10490611-0@bounce.sendtax.yyyyyyyy.com>)
Received-SPF: fail (xxxxxxxx.edu: domain of bounce-1500758_html-1071492136-25634245-10490611-0@bounce.sendtax.yyyyyyyy.com does not designate 207.46.163.184 as permitted sender)
==============================================

Finally..

When checking a customers SPF record verify that they only have a single SPF record. IF there are two or more SPF records only one will be used.

In this example the official SPF record (not the TXT SPF record will always be used

mydomain.com.            3599    IN      TXT     "v=spf1 include:spf.protection.outlook.com -all"
mydomain.com.            3599    IN      SPF    "v=spf1 mx -all"


In this example the TXT SPF records will be used round robin.

mydomain.com.            3599    IN      TXT     "v=spf1 include:spf.protection.outlook.com -all"
mydomain.com.            3599    IN      TXT     "v=spf1 mx -all"


A domain should only have a single SPF record. If they have multiple SPF record they should all be identical

mydomain.com.            3599    IN      TXT     "v=spf1 mx include:spf.protection.outlook.com -all"
mydomain.com.            3599    IN      SPF    "v=spf1 mx include:spf.protection.outlook.com -all"


Link To This Page: