10-28-2016 03:03 AM
Hello everyone,
we have some issues with SPF check and our ESA hosted domains. Our goal is, to reduce forged identities (espacially PRA identity which is shown by Outlook).
Our requirements:
- "v=spf1 ... -all" is already (and correct) set and we don't want to set an extra "spf2.0/pra ... -all" TXT-RR in DNS (this would be an option with SPF/SIDF Conformance Level "SIDF-compatible")
- We set SPF/SIDF Conformance Level to "SIDF" on all HAT policies (this provides the capability: "SPF v1.0 records are treated as spf2.0/mfrom,pra." which is fine).
- DKIM and DMARC would be complex options for the future, but not at the moment.
Problem: Now, SPF check is working fine for external domains/identities, but not for by our company hosted domains (e.g. Receiving Domains listed in SMTP-Routes).
Examples:
SPF: pra identity jdoe@external.com Fail headers from
SPF: pra identity jdoe@internal.com None headers from
Why ESA is not performing the SPF check for external delivered emails, when pra/mailfrom/(helo) identity domains are the same as our hosted domains?
10-28-2016 11:24 AM
Hello Paul,
Are you able to provide any message tracking examples for the behavior you're referring to?
Thanks
-Dennis M.
10-31-2016 06:51 AM
10-31-2016 07:16 AM
Are you using split dns don't forget to put your spf records in your internal dns servers
03-23-2017 07:00 AM
Hi Ken,
thanks for your answer. Split DNS was the solution and solved our problem. There are two possible ways:
1. You update your internal DNS RR
2. You specify external DNS server for special domains via ESA (Network > DNS).
03-23-2017 07:00 AM
Hi Paul,
We are using a spoof message filter and I'm looking at adding some improvements by integrating SPF (mail from and PRA results).
Just like you, I want to avoid publishing spf2.0 and looking at setting the Conformance Level to "SIDF".
Prior to fixing the issue, were your ESA's DNS configuration set to use external or your internal DNS server?
Thanks,
Conrado
03-23-2017 07:09 AM
Hi Conrado, we used internal DNS where no data was set for our domains. So, our verdict was always none (nothing to check against). We corrected this by implementing the SPF TXT-RR also in internal DNS.
SIDF is correct for checking PRA und MFROM identities. There are also important references in Cisco User Guide which help a lot to understand how these settings and RFC works.
03-24-2017 06:01 AM
Thanks Paul
11-06-2016 05:15 PM
However ESA/DNS/SPF is setup, we don't seem to be finding any records for that domain. At this point I would recommend opening up a TAC case and we can help you take a closer look at the configuration.
Also, while SPF validation is helpful, it doesn't necessarily assist with spoofing attacks. And while the PRA/SenderID result would be looking at the friendly 'From' header, it's pretty much obsolete and rarely used.
Personally, I would recommend either creating a message filter to look at the Mail-From and From headers. Or, if you're using ASyncOS 10+ you can take advantage of Forged Email Detection.
Some Helpful Articles :
Thanks!
-Dennis M.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide