Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2005
Views
5
Helpful
2
Replies

Legitimate messages failing spf, dkim and falling into quarantine

Madura Malwatte
Level 4
Level 4

‎03-16-2021 08:11 AM

Hi All,

Looking for recommendations or best practice how to approach scenario where the IT staff of a company is being overloaded with the amount of messages going into quarantine. Some of these look to be failing spf (soft/hard) and dkim. Would the best approach be to whitelist the legitimate domains? 

I read in some best practice document with contradicting recommendations. One document says to drop all SPF hardfails, while others and the default settings on CES has SPF hardfails to quarantine. Which is it? Can I get definitive best practice for what to drop and what to quarantine?

Also what steps would you take to reduce the amount of legitimate emails going into quarantine?

Labels:
2 Replies 2

Ken Stieers
VIP
VIP

‎03-16-2021 09:07 AM

If it's a hard fail, you're justified in just throwing that mail away. By definition, a hard fail isn't legitimate mail.

But the problem is companies don't track all sending mailers well, and shadow IT happens, or they don't know how to configure SPF properly...



We quarantine it in the policy quarantine, and when we get a user request for something that's not coming in, we'll investigate, and then give the user the why, but they don't get the email. I typically send a note that the user can pass on that says something like "that mail failed SPF, e.g. that company is telling us it is spam, here's their SPF record, here's the IP it came from, pass it on to your business partner's IT group".



You have to pick a policy, and get support from management, and stick to it.



Ken


0 Helpful

marc.luescherFRE
Spotlight
Spotlight

‎03-16-2021 09:21 AM

Hi Madura,

 

it is all a numbers game. If I break down our PVO numbers we have :

 

60 % SPAM

15% GREYMAIL

3% SPF fail

2 % DKIM fail

3 % URL CATEGORY FAIL

2 % AV FAIL

2 % ENCRYPTION FAIL

1 % OTHER

 

For us that would mean SPAM and GREYMAIL need to managed without admins, the rest needed admins. At the end you will create whitelists per category to decide what to do. A properly setup email domain should not have emails in the quarantine. What kind of messages are you worried about ?

 

 

-Marc

0 Helpful
Customers Also Viewed These Support Documents