Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1890
Views
10
Helpful
3
Replies

DMARC can reject, SPF can not. Why?

Go to solution
cryptochrome
Level 1
Level 1

‎03-24-2020 08:25 AM

Hi,

with DMARC we can reject mails during SMTP dialog (according to DMARC policies). However, with SPF and DKIM we can only drop/quarantine/bouce, but not reject. Acting on SPF results is only possible in message/content filters (which happen after SMTP dialog, hence no reject). DMARC, which is based on SPF/DKIM can reject mails. 

This makes no sense. Why not allow a reject action for SPF/DKIM as well?

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ken Stieers
VIP
VIP
In response to Cristian Matei

‎03-24-2020 10:06 AM

You can set it to reject, but you have to do it in the CLI.



https://www.cisco.com/c/en/us/td/docs/security/esa/esa13-0/cli_reference_guide/b_CLI_Reference_Guide_13_0/b_CLI_Reference_Guide_chapter_0100.html



Search for this string "Example - Configuring SPF and SIDF"


Keep in mind that this is much like turning on rejecting mail because of reverse DNS/PTR lookups failing...
LOTS of companies STILL don't know how to configure it properly.



View solution in original post

3 Replies 3

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎03-24-2020 09:22 AM

Hi,

   

     I think it was just a simple call at that point in time, when feature was implemented. Technically speaking, from the RFC point of view, SPF recommends REJECT, while DKIM does not recommend REJECT.

 

Regards,

Cristian Matei.

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to Cristian Matei

‎03-24-2020 10:06 AM

You can set it to reject, but you have to do it in the CLI.



https://www.cisco.com/c/en/us/td/docs/security/esa/esa13-0/cli_reference_guide/b_CLI_Reference_Guide_13_0/b_CLI_Reference_Guide_chapter_0100.html



Search for this string "Example - Configuring SPF and SIDF"


Keep in mind that this is much like turning on rejecting mail because of reverse DNS/PTR lookups failing...
LOTS of companies STILL don't know how to configure it properly.



Go to solution
cryptochrome
Level 1
Level 1
In response to Ken Stieers

‎03-24-2020 10:21 AM

Oh wow... looks like it makes sense to check the command line reference more often. I didn't know this was possible because the GUI does not offer these options. Excellent, thanks for pointing me in the right direction!

0 Helpful
Customers Also Viewed These Support Documents