Facebook
TwitterWe have our servers set to SPF checking on, and checking mode set to 'Reject mail when SPF resolves to "fail" (deny)'. This works great when a forged third party email comes in where the sender domain has an explicit SPF record. The issue we're having is that the filter does not appear to reject email if the forged sender domain is a locally hosted domain. For example:
Spam message #1
From: [email protected]
To: [email protected]
Delivered by: remote hacked server
That would be rejected.
Spam message #2
From: [email protected]
To: [email protected]
Delivered by: remote hacked server
That one would be accepted even though it fails SPF. The header "Received-SPF: none (no valid SPF record)" will be present in the headers of the message even though the domain in question does have a valid SPF record. So it seems to not do a lookup if the domain is local. We don't have any scenarios where a non-authenticated remote email would be coming into a user using their own email address, so we'd like to block those.
Spam message #1
From: [email protected]
To: [email protected]
Delivered by: remote hacked server
That would be rejected.
Spam message #2
From: [email protected]
To: [email protected]
Delivered by: remote hacked server
That one would be accepted even though it fails SPF. The header "Received-SPF: none (no valid SPF record)" will be present in the headers of the message even though the domain in question does have a valid SPF record. So it seems to not do a lookup if the domain is local. We don't have any scenarios where a non-authenticated remote email would be coming into a user using their own email address, so we'd like to block those.
