Issue Spam Messages

[LeighWhiting]

Hi All

I am hoping that someone can help me;

We had our server setup to SPF Checking Mode "Reject mail when SPF does not resolve to pass" and we had no spam messages at all but then found out that our customers, customers could no longer email our customers which obviously caused big issues so i have had to set the mode back to "Only create Received-SPF headers, never block" which now allows our customers to be emailed by their customers as well as spammers!

I have been looking into which rule would best suite and i am getting myself a little confused, i guess! because the discription on 3, 4 & 5 are very similar...

1. Only create Received SPF-headers, never block - to accept all incoming messages regardless of SPF check results.
2. Use temporary error notices when you have DNS lookup problems - to accept all incoming messages regardless of SPF check results, even if SPF check failed due to DNS lookup problems.
3. Reject mail if SPF resolves to “fail” (deny) - to reject messages from senders who are not authorized to use the domain in question.
4. Reject mail if SPF resolves to “softfail” - to reject the messages from senders who cannot be identified by SPF system as authorized or are not authorized because the domain has no SPF records published.
5. Reject mail if SPF resolves to “neutral” - to reject the messages from senders who cannot be identified by SPF system as authorized or are not authorized because the domain has no SPF records published.
6. Reject mail if SPF does not resolve to “pass” - to reject the messages that do not pass SPF check for any reason (for example, when sender’s domain does not implement SPF and SPF checking returns the “unknown” status).

I have viewed some of the email headers and 1 of them is below which states SPF None so how would i block these kind of messages but not block our customers customers. the other factor is the IP and domain constantly change

Received: from 531crft.smartsight.us (srv2.cp-xeon.live [23.94.160.229])
by vps2.xxxxx.com (Postfix) with ESMTP id 47B26C59E4
for <[email protected]>; Mon, 8 Nov 2021 14:17:45 +0000 (GMT)
Authentication-Results: vps2.xxx.com;
dmarc=none (p=NONE sp=NONE) smtp.from=smartsight.us header.from=smartsight.us;
spf=none (sender IP is 23.94.160.229) smtp.mailfrom=[email protected] smtp.helo=531crft.smartsight.us
Received-SPF: none (vps2.hubenterprise.com: no valid SPF record)
Received: from 00c93b68.531crft.smartsight.us ([127.0.0.1]:15607 helo=531crft.smartsight.us)
by 531crft.smartsight.us with ESMTP id 00MUJINXGSNVC93BHBGDCVVJMD68;
for <[email protected]>; Mon, 8 Nov 2021 06:17:43 -0800

Thank you in advanced.

 

[Kaspar]

I have been looking into which rule would best suite and i am getting myself a little confused, i guess! because the discription on 3, 4 & 5 are very similar...

1. Only create Received SPF-headers, never block - to accept all incoming messages regardless of SPF check results.
2. Use temporary error notices when you have DNS lookup problems - to accept all incoming messages regardless of SPF check results, even if SPF check failed due to DNS lookup problems.
3. Reject mail if SPF resolves to “fail” (deny) - to reject messages from senders who are not authorized to use the domain in question.
4. Reject mail if SPF resolves to “softfail” - to reject the messages from senders who cannot be identified by SPF system as authorized or are not authorized because the domain has no SPF records published.
5. Reject mail if SPF resolves to “neutral” - to reject the messages from senders who cannot be identified by SPF system as authorized or are not authorized because the domain has no SPF records published.
6. Reject mail if SPF does not resolve to “pass” - to reject the messages that do not pass SPF check for any reason (for example, when sender’s domain does not implement SPF and SPF checking returns the “unknown” status).

You can consider the SPF rules listed as ranked from basically "No SPF protection" (rule 1 and 2) to "Very strict protection" (rule 6). As you've discovered the hard way the 6th rule (Reject mail if SPF does not resolve to pass) is very strict and will block any email message unless the sender has a valid SPF. So even email messages from senders without any SPF are block. And unfortunately many domain owners haven't setup setup SPF for their domains. So all those email message will get blocked.

Rules 3, 4 and 5 each become slightly more strict. They block email messages based on the different SPF validation results: fail, soft fail or neutral. You'll have to read up on how SPF works exactly if you want to know the differents. You'll have to consider if you want to enforce a strict SPF policy and potentially block 'legit' email messages as well. Or a more lenient SPF policy and thus also allow more spam to pass.

Your safest option would be to go with rule 3. It will never block all spam (nor will any of the other rules). You'll need to configure additional anti spam measures. Such as using DNSBL's and SpamAssassin. If you not familair with setting those up yourself or do not wish to spent too much time on managing anti spam measures, I can highly recommended the Warden Anti-spam and Virus Protection extension.

 

[mow]

Your safest option would be to go with rule 3.

Yes, that's the usual setting.

btw, the distinction between fail and softfail is in the spf setting of the domain itself: If the spf record has e.g. -all, all unlisted IPs will fail, if it has ~all, they will softfail.
Usually softfail is for testing where you (only) want to get notification in the headers when a mail softfails (e.g. because you forgot to list an IP) but the mail should still be delivered. After you have listed all necessary systems, change to -all so mails sent from other IPs will hard-fail on all systems that have set at least rule 3.