Axigen 10.2.2.70 in menu Security & Filtering -> Additional AntiSpam method. The SPF (Sender Policy Framework) section has an option to choose wheter Axigen will deliver or drop the message if SPF checking result in error. However, SPF check error could be in many types such like
SPF malform (wrong syntax)
Soft error which sender IP is mismatched with identities specified in SPF record, but SPF directive defined as soft fail symbol ~
Other kind of possible SPF error, I don’t know, may be more.
There are many ways for SPF errorneous. But there is only one correctness. Not sure that if I choose “Reject the message” when SPF error includes all type of possible SPF checking error ?
When you are enabling one of the SPF methods (on Ehlo or on MailFrom) you have 3 possible cases:
1/ no DNS record >> so you have to choose one possible actions from: Deliver or Reject the message
2/ the DNS record is present but have syntax errors >> so you have to choose one possible actions (like above)
3/ the DNS record is present and is syntactically correct >> in this case the server will perform the action instructed by the SPF policy mentioned into the DNS record
Does this make sense?
HTH,
Ioan
PS: we highly recommend this online tool to check for SPF syntax errors
I’ll provide more details below as it seems I was not clear enough.
When you are enabling one of the SPF methods (on Ehlo or on MailFrom) you could have 3 possible cases:
1/ there is no SPF DNS record = in WebAdmin: no SPF records published
In this case you (as Axigen admin) have to choose one possible actions from: Deliver (default action) or Reject the message
Let’s say that one domain from which you are receiving messages do not have a SPF record so Axigen is asking you what to do in this case.:
Are you very strict with your inbound policy and you like to accept messages only from domains that have a SPF record? Than choose Reject the message
Otherwise choose Deliver the message
Some example from last couple of days : domain louisdreyfus.it has no SPF (actually no MX as well) but we see messages claimed to be sent from this domain originated from several IPs that all present in several DNSBL lists.
2/ the SPF DNS record is present but have syntax errors = in WebAdmin SPF checking results in error
In this case you (as Axigen admin) have to choose one possible actions from: Deliver (default action) or Reject the message (like above).
Let’s say that one domain from which you are receiving messages have at least one SPF record but is invalid due to syntax error(s) (like multiple SPF records or any other ones related to SPF) so Axigen is asking you what to do in this case.:
Are you very strict with your inbound policy and you like to accept messages only from domains that have a valid SPF record? Than choose Reject the message
Otherwise choose Deliver the message
Some examples from today:
more than one SPF record >> usvisa-info.com $ dig txt +short usvisa-info.com | grep -i spf "v=spf1 include:amazonses.com -all" "v=spf1 include:authsmtp.com include:aspmx.googlemail.com include:_spf.google.com include:mailgun.org ~all"
3/ the SPF DNS record is present and is syntactically correct >> in this case the server will perform the action instructed by the SPF policy mentioned into the DNS record and there are no options to choose from
When our clients do not like to be bothered by “no delivery reports” from their remote parties our usual recommendation is to enable only SPF on MailFrom and to choose Deliver the message for both cases mentioned above (at 1/ and 2/).