Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11935
Views
0
Helpful
7
Replies

ESA | Sender Policy Framework (SPF).

Go to solution
John
Level 1
Level 1

‎05-31-2016 12:58 AM

One of the recommendations from the Analysis Teamis to implement the Sender Policy Framework (SPF).

Kindly enlighten us on how this works and how to implement this on our Cisco Ironport.

Is there any requirements needed? What are the pro’s and con’s of implementing this?

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Raed Boshmaf
Cisco Employee
Cisco Employee

‎05-31-2016 01:03 AM

Hi John,

Check the following article FAQ about SPF 

Regards

Raed 

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Raed Boshmaf
Cisco Employee
Cisco Employee

‎05-31-2016 01:03 AM

Hi John,

Check the following article FAQ about SPF 

Regards

Raed 

0 Helpful

Go to solution
John
Level 1
Level 1
In response to Raed Boshmaf

‎02-15-2017 08:59 PM

How to test if SPF is working?

0 Helpful

Go to solution
exMSW4319
Level 3
Level 3
In response to John

‎02-16-2017 03:43 AM

John, you still haven't clarified if this is for publishing SPF for your outgoing mail or checking the SPF status of mail incoming to you.

0 Helpful

Go to solution
exMSW4319
Level 3
Level 3

‎06-01-2016 01:52 AM

When working out what action to take on the various SPF verdicts, bear in mind that the Office 365 groupies are currently churning out epic numbers of PERMERRORs for valid domains they're converting. As that's mostly seagull conslutancy, there's no-one with any technical clue at the sender domain to fix things if you point the error out to them. The other unholy terror of SPF validation is the forgotten back office workflow system automatically churning out trivial things like invoices, process notifications, payslips and the like. Still, manually resending all that traffic (because you won't be the only one dropping it) will give all those suddenly-more-productive office staff something to do.

Most emphatically test with a log action before going live with a drop or quarantine action. I introduced SPF here one sender group at a time, starting with the lowest SBRS ranges. Even if you only act on hard FAIL verdicts, you'll still want an Incoming Mail Policy for folk with SPF errors that they simply can't correct.

Before getting into all of that, it's worth checking what your analysis team actually wanted. Remember that publishing SPF to authenticate your outgoing mail and doing SPF validation to check your incoming mail are two different things, and you don't have to do both though in this day and age the first is definitely recommended. The article Raed recommended focusses entirely on the second, as that's where an ESA fits into the process.

0 Helpful

Go to solution
John
Level 1
Level 1
In response to exMSW4319

‎06-28-2016 12:59 AM

What are the pro’s and con’s of implementing this?

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to John

‎06-28-2016 08:09 AM

Depends upon which piece you're talking about

Implementing SPF record for your domain:

Pros:  better deliveribilty of your mail... some of the big carriers claim they aren't accepting mail without SPF records.  

Cons:  none that I know of...

Implementing SPF record checking:

Pro:  less spam gets through

Cons: You run across companies that don't know what they are doing, and you dump good mail.  (I've sent MANY notes saying "here's your spf record, here's the mail trace from an IP that isn't covered by the spf record... YOU told me its spam... so I dropped it... fix your crap" )

0 Helpful

Go to solution
exMSW4319
Level 3
Level 3
In response to Ken Stieers

‎06-30-2016 12:26 AM

John, on publishing an SPF record to authenticate your own domain there's the tricky question of whether to end your record with a SOFTFAIL (~all) or HARDFAIL (-all).

A soft ending may be acceptable to some of the bigger webmailers who can be seen to be checking SPF if you look at message source details in your own web mail test accounts (you of course will have test accounts with all the large free webmailers) but in my opinion still leaves you open to impersonation as unauthorised machines may be deemed acceptable by the checking system. The RFCs do not prescribe a specific action for any result, but are particularly (necessarily?) fuzzy on this subject. See RFC 4408 and 7208. I have a recollection that at least one contributor to this forum has stated that he only acts on HARDFAIL results.

A hard ending is much less open to question, but will cause problems with your deliverability whenever the recipient is forwarding your mail to another address. I believe there are mechanisms the recipient can implement to mitigate this problem, but many of the domain owners forwarding mail are precisely those least able to put such arrangements in place.

The main ones are fairly common knowledge, but if you are short of tools for checking SPF then let us know.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents