Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5872
Views
10
Helpful
5
Replies

Cisco esa SPF configuration

Go to solution
ccna_security
Level 3
Level 3

‎08-26-2019 06:03 AM

Dear all

İ configured spf and it seems work properly for now. Let me give you brief summery 

1. Created SPF quarantine

2. Enabled SPF in mail flow policy default Policy  parameters(Conformance Level-SPF, Downgrade PRA verification-NO, HELO Test-ON)

3.Created content filter to send Failed spf verification to quarantine.

When i looked at some logs i observed that although mailfromidentity Pass but HELO test Softfail, email is send to SPF quarantine. My question is that what is the recommended choice for HELO Test ? ON or OFF ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dmccabej
Cisco Employee
Cisco Employee
In response to ccna_security

‎08-27-2019 11:24 AM

Hello,

 

The SPF record lookup is done using the mail-from domain. So, if the envelope sender address is test@domain.com then you would want to look at the SPF record for domain.com to see if it's configured properly, as they would need to be including the sending host mx.example.com in it. If it is misconfigured then there's nothing you're able to do about that since you do not control their DNS. You would need to contact them so that they can fix it on their end. 

 

If you can provide more details I can try to help confirm. 

 

Thanks!

-Dennis M.

View solution in original post

5 Replies 5

Go to solution
dmccabej
Cisco Employee
Cisco Employee

‎08-26-2019 07:36 AM

Hello,

 

Most people are probably not going to have the HELO SPF record configured properly if at all, so my personal opinion would be that it's not necessary. I'd also recommend adding in DKIM and DMARC verification when possible.

 

If you wanted to just act on the mail-from within the filter, you could instead configure a message filter instead of a content filter, as with the message filter you have the ability to choose.

 

https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-5/user_guide/b_ESA_Admin_Guide_12_5/b_ESA_Admin_Guide_12_1_chapter_01000.html#con_1132105

 

Thanks!

-Dennis M.

Go to solution
ccna_security
Level 3
Level 3
In response to dmccabej

‎08-26-2019 10:37 PM

Thank you Dennis. I have one last question. I would be happy if you help me. Yesterday as i said i configured spf. And one legitimate email came from different mail server and SPF blocked it. Sender's mail server is for example mx.example.com but email address is test@domain.com. The question is that where i have to add SPF record to let domain.com legitimately comes from mx.example.com? It is so urgent please help to solve this issue.Thanks
0 Helpful

Go to solution
dmccabej
Cisco Employee
Cisco Employee
In response to ccna_security

‎08-27-2019 11:24 AM

Hello,

 

The SPF record lookup is done using the mail-from domain. So, if the envelope sender address is test@domain.com then you would want to look at the SPF record for domain.com to see if it's configured properly, as they would need to be including the sending host mx.example.com in it. If it is misconfigured then there's nothing you're able to do about that since you do not control their DNS. You would need to contact them so that they can fix it on their end. 

 

If you can provide more details I can try to help confirm. 

 

Thanks!

-Dennis M.

Go to solution
ccna_security
Level 3
Level 3
In response to dmccabej

‎08-27-2019 11:44 AM

Thank you Dennis. I will send email to them to add their spf records 

0 Helpful

Go to solution
dmccabej
Cisco Employee
Cisco Employee
In response to ccna_security

‎08-27-2019 12:34 PM

You're very welcome! I'm glad that I was able to assist. :)

 

-Dennis M.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents