ESA content filter/cli filter to check include SPF record

kaizen · ‎04-13-2022

Hi community,

I am trying to whitelist or more correctly said to SPOOF_ALLOW the servers that gmail/outlook use to send email for a customer domain. Basically gmail and outlook ask clients to include their ranges via a include in SPF record. For example include:_spf.google.com resolves to include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com which then shows the many ranges of google.

My question is if I want to allow only mail sent from the customer's domain and coming from some of the servers in the SPF record for google/outlook to match Sendergroup SPOOF_ALLOW. All other emails coming from GMAIL/Outlook should be treated normally and match the policies below - UNKNOWNLIST / ACCEPTLIST.

I guess maybe some content filter can be used..

Is there a better way to keep Spoofing protection in good state without allowing all the vendor public ranges? It seems Gmail/Outlook are not giving specific IPs or segments for a particular customer/domain.

Thanks. Any advice is appreciated.

K.

UdupiKrishna · ‎04-13-2022

Considering the email pipeline, sender group comes first and then the filters. So there's no possible way to control which sender group is used for different messages by a filter.

SPF verification kicks in after a sender group is matched, so that doesn't help either. What could possibly help is if google or outlook can specifically send messages to a different listener IP (a new listener needs to setup on ESA too) when the messages are meant for their domain, this way rest of common gmail/outlook messages come through different listener.