Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6540
Views
5
Helpful
6
Replies

SPF Verification Best Practices

Go to solution
abdulhadizamri
Level 1
Level 1

‎05-03-2017 12:23 AM

Hi Support Community,

I just configure the SPF verification on my ESA. In the content filtering i was created two filters which Softfail and Hardfail.

After a week monitor this settings, we found out that some of email was unable to delivered and hit SPF-Softfail filtering.

Kindly need your advise to fine tune the SPF verification settings. Is there any best practice configuration for SPF?

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dmccabej
Cisco Employee
Cisco Employee
In response to abdulhadizamri

‎05-03-2017 12:24 PM

Hello,

You may be getting false-positive confused with sending companies who do not have their SPF record setup properly, but that would only be my assumption due to no logs being provided for the messages triggering the SPF filter. 

Due to this, you may wish to only trigger on hard fail, which is used more for companies that have their SPF record dialed in.

Thanks!

-Dennis M.

View solution in original post

6 Replies 6

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee

‎05-03-2017 05:34 AM

Hi,

I do not think there is a best practice configuration for SPF because the requirement varies from one organization to another. Although you can go through the below published article:

http://www.cisco.com/c/dam/en/us/products/collateral/security/esa-spf-dkim-dmarc.pdf

You can also refer to the Advanced User Guide to review working of SPF

http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa7-6/ESA_7-6_AdvancedGuide.pdf

Page 5-23

Thank You!

Libin Varghese

0 Helpful

Go to solution
abdulhadizamri
Level 1
Level 1
In response to Libin Varghese

‎05-03-2017 10:41 AM

I have followed the SPF Recommended Deployment but too many false positive emails fall into the quarantine box.

So im looking a solution to fine tuning the SPF settings.

0 Helpful

Go to solution
marc.luescherFRE
Spotlight
Spotlight
In response to abdulhadizamri

‎05-03-2017 10:47 AM

see my comment above

0 Helpful

Go to solution
dmccabej
Cisco Employee
Cisco Employee
In response to abdulhadizamri

‎05-03-2017 12:24 PM

Hello,

You may be getting false-positive confused with sending companies who do not have their SPF record setup properly, but that would only be my assumption due to no logs being provided for the messages triggering the SPF filter. 

Due to this, you may wish to only trigger on hard fail, which is used more for companies that have their SPF record dialed in.

Thanks!

-Dennis M.

Go to solution
marc.luescherFRE
Spotlight
Spotlight

‎05-03-2017 09:40 AM

Let me tell you what we are doing :

a) we have three GUI based filters SPF pass, suspect and fail. Each of them inserts a custom header and copies the incoming messages into a quarantine and we keep the mail for 28 days for analysis

b) we have a CLI filter which takes it from there

      if interface incoming

        if domain not whitelisted for this SPF feature

           notify domain owner that SPF is failing and what to do to fix it

           and add domain to whitelist for this SPF feature

     

c) for email where the SPF record is failing we have a more complex validation filter where we are stripping the from address so the envelope sender is always displayed.

0 Helpful

Go to solution
sdonovan123
Level 1
Level 1

‎05-09-2017 07:29 AM

Currently my company does SFP and DKIM validation and action this way:

  1. Softfails only in mailfrom, PRA or helo: Let them pass to the end user
  2. Hardfails in mailfrom, PRA or helo: Send them to the end users quarantine.  This way they can release them if they want too.

0 Helpful
Customers Also Viewed These Support Documents