We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Essentials for Office 365
Barracuda Essentials for Office 365

How to Configure Sender Policy Framework

  • Last updated on

If you make setting changes, allow a few minutes for the changes to take effect.

Use the steps in this article to configure Sender Policy Framework (SPF) checking for the Barracuda Email Security Service.

Important
If you have SPF checking enabled on your mail server or network, it is critical when using the Barracuda Email Security Service that you either disable SPF checking in the service or add the Barracuda Email Security Service IP ranges to your SPF exemptions based on your location; see Barracuda Email Security Service IP Ranges for a list of IP rages by location.

Otherwise, your SPF checker blocks mail from domains with an SPF record set to Block because the mail is coming from a Barracuda Email Security Service IP address not in the sender's SPF record. For more information, see the Sender Policy Framework Project Overview.

Configure SPF for Inbound Mail

  1. Log in to your Barracuda Cloud Control account, and click Email Security in the left pane.
  2. Go to the Inbound Settings > Sender Authentication page, and in the Use Sender Policy Framework section, select the desired option:
    • BLOCK FAIL – The SPF Fail response indicates the IP address of the message sender does not match the IP address or range of IP addresses specified in the sending domain name's SPF record, and that the real owner of the domain has specifically indicated that such messages should be rejected (blocked) as spoofed.
    • BLOCK Fail, SOFTFAIL – The SPF SOFTFAIL response indicates the message sender's IP address does not match the IP address or range of IP addresses specified in the sending domain name's SPF record and the domain owner did not specify how such messages are to be handled.

      You can optionally enable Sender Rewriting Scheme (SRS) for a specific domain on the Domains > Domain Settings page. When enabled, the sending mail server IP address is visible to the SPF verification agent on the recipient's end. The recipient's SPF agent checks the reverse MX records for your domain and verifies your IP address as an authorized sender to ensure message delivery to the recipient.

        

  3. Click Save Changes.

    If quarantine is enabled, messages are sent to the user's quarantine. If quarantine is disabled, messages are blocked.

    When Use Sender Policy Framework is set to Off, the Barracuda Email Security Services does not query DNS for an SPF record for the sending domain to verify whether the sender is the true owner of that domain. If you are concerned about domain spoofing, enable one of the SPF options.

Exempt Trusted IP Addresses from SPF Checks

You can exempt mail relay servers and other machines from SPF checks that are set up specifically to forward mail to the Barracuda Email Security Service from outside sources. Mail from these IP addresses is still scanned for spam.

  1. Log in to your Barracuda Cloud Control account, and click Email Security in the left pane.
  2. Go to the Inbound Settings > Sender Authentication page, and in the Use Sender Policy Framework section, enter the IP Address and Netmask and optional Comment.
  3. Click Add in the Actions column, and click Save Changes.

Configure SPF for Outbound Mail

To assure outbound mail from your Barracuda Email Security Service that Barracuda Networks is the authorized sending mail service, add the following to the SPF record INCLUDE line for each domain sending outbound mail based on your Barracuda Email Security Service instance. For example, type:
include:spf.ess.barracudanetworks.com -all

See Sender Policy Framework for Outbound Mail for INCLUDE entries based on your Barracuda Email Security Service instance.

   

O365


Last updated on