Use the steps in this article to configure Sender Policy Framework (SPF) checking for the Barracuda Email Security Service.
Configure SPF for Inbound Mail
- Log into your Barracuda Cloud Control account, and click Email Security in the left pane.
- Go to the Inbound Settings > Sender Authentication page, and select from the available options in the Enable Sender Policy Framework Checking section:
- Hard Fail – Response indicates that the message sender's IP address does not match the IP address or range of IP addresses specified in the sending domain name's SPF record, and that the real owner of the domain has specifically indicated that such messages should be rejected (blocked) as spoofed.
- Block – Messages from a domain that fails SPF checking are blocked.
- Quarantine – Messages from a domain that fails SPF checking are quarantined.
- Off – When set to Off, the Barracuda Email Security Service does not query DNS for an SPF record for the sending domain to verify whether the sender is the true owner of that domain. This is the default setting.
- Soft Fail – Response indicates that the message sender's IP address does not match the IP address or range of IP addresses specified in the sending domain name's SPF record, and that the domain owner did not specify how the message should be handled.
- Block – Messages from a domain that fails SPF checking are blocked.
- Quarantine – Messages from a domain that fails SPF checking are quarantined.
Off – When set to Off, the Barracuda Email Security Service does not query DNS for an SPF record for the sending domain to verify whether the sender is the true owner of that domain. This is the default setting.
- Hard Fail – Response indicates that the message sender's IP address does not match the IP address or range of IP addresses specified in the sending domain name's SPF record, and that the real owner of the domain has specifically indicated that such messages should be rejected (blocked) as spoofed.
Click Save Changes.
Exempt Trusted IP Addresses from SPF Checks
You can exempt mail relay servers and other machines from SPF checks that are set up specifically to forward mail to the Barracuda Email Security Service from outside sources. Mail from these IP addresses is still scanned for spam.
- Log into your Barracuda Cloud Control account, and click Email Security in the left pane.
- Go to the Inbound Settings > Sender Authentication page, and in the Sender Policy Framework section, enter the IP Address and Netmask and optional Comment.
- Click Add in the Actions column, and click Save Changes.
Block on No SPF Records
You can configure what happens when senders send mail from or through mail servers whose domains lack reverse MX records, or have no SPF records.
- Log into your Barracuda Cloud Control account, and click Email Security in the left pane.
- Go to the Inbound Settings > Sender Authentication page, and select one of the following in the Block on No SPF Records section:
- Block – If a sending domain does not have an SPF record, the mail server is blocked and mail is not delivered to the user.
- Quarantine – If a sending domain does not have an SPF record, mail is quarantined.
- Off – When set to Off, there is no query for any senders. This is the default setting.
- Click Save Changes.
Additionally, if you have known/trusted contacts that send email from or through mail servers whose domains have no SPF records, you can create exemptions for these senders to allow their mail through while still blocking mail from other mail servers that do not have SPF records.
Configure SPF for Outbound Mail
To assure outbound mail from your Barracuda Email Security Service that Barracuda Networks is the authorized sending mail service, add the following to the SPF record INCLUDE line for each domain sending outbound mail based on your Barracuda Email Security Service instance:
AU (Australia)
include:spf.ess.au.barracudanetworks.com -all
CA (Canada)
include:spf.ess.ca.barracudanetworks.com -all
DE (Germany)
include:spf.ess.de.barracudanetworks.com -all
UK (United Kingdom)
include:spf.ess.uk.barracudanetworks.com -all
US (United States)
include:spf.ess.barracudanetworks.com -all