cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.1-033
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.1.0-227
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info

1203
Views
10
Helpful
3
Replies
cryptochrome
Beginner

DMARC can reject, SPF can not. Why?

Hi,

with DMARC we can reject mails during SMTP dialog (according to DMARC policies). However, with SPF and DKIM we can only drop/quarantine/bouce, but not reject. Acting on SPF results is only possible in message/content filters (which happen after SMTP dialog, hence no reject). DMARC, which is based on SPF/DKIM can reject mails. 

This makes no sense. Why not allow a reject action for SPF/DKIM as well?

 

1 ACCEPTED SOLUTION

Accepted Solutions

You can set it to reject, but you have to do it in the CLI.



https://www.cisco.com/c/en/us/td/docs/security/esa/esa13-0/cli_reference_guide/b_CLI_Reference_Guide_13_0/b_CLI_Reference_Guide_chapter_0100.html



Search for this string "Example - Configuring SPF and SIDF"


Keep in mind that this is much like turning on rejecting mail because of reverse DNS/PTR lookups failing...
LOTS of companies STILL don't know how to configure it properly.



View solution in original post

3 REPLIES 3
Cristian Matei
VIP Collaborator

Hi,

   

     I think it was just a simple call at that point in time, when feature was implemented. Technically speaking, from the RFC point of view, SPF recommends REJECT, while DKIM does not recommend REJECT.

 

Regards,

Cristian Matei.

You can set it to reject, but you have to do it in the CLI.



https://www.cisco.com/c/en/us/td/docs/security/esa/esa13-0/cli_reference_guide/b_CLI_Reference_Guide_13_0/b_CLI_Reference_Guide_chapter_0100.html



Search for this string "Example - Configuring SPF and SIDF"


Keep in mind that this is much like turning on rejecting mail because of reverse DNS/PTR lookups failing...
LOTS of companies STILL don't know how to configure it properly.



View solution in original post

Oh wow... looks like it makes sense to check the command line reference more often. I didn't know this was possible because the GUI does not offer these options. Excellent, thanks for pointing me in the right direction!

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: pxGrid (36%)

Content for Community-Ad