Hello Wuti,
I’ll provide more details below as it seems I was not clear enough.
When you are enabling one of the SPF methods (on Ehlo or on MailFrom) you could have 3 possible cases:
1/ there is no SPF DNS record = in WebAdmin: no SPF records published
In this case you (as Axigen admin) have to choose one possible actions from: Deliver (default action) or Reject the message
Let’s say that one domain from which you are receiving messages do not have a SPF record so Axigen is asking you what to do in this case.:
- Are you very strict with your inbound policy and you like to accept messages only from domains that have a SPF record? Than choose Reject the message
- Otherwise choose Deliver the message
Some example from last couple of days : domain louisdreyfus.it has no SPF (actually no MX as well) but we see messages claimed to be sent from this domain originated from several IPs that all present in several DNSBL lists.
2/ the SPF DNS record is present but have syntax errors = in WebAdmin SPF checking results in error
In this case you (as Axigen admin) have to choose one possible actions from: Deliver (default action) or Reject the message (like above).
Let’s say that one domain from which you are receiving messages have at least one SPF record but is invalid due to syntax error(s) (like multiple SPF records or any other ones related to SPF) so Axigen is asking you what to do in this case.:
- Are you very strict with your inbound policy and you like to accept messages only from domains that have a valid SPF record? Than choose Reject the message
- Otherwise choose Deliver the message
Some examples from today:
-
more than one SPF record >>
usvisa-info.com
$ dig txt +short usvisa-info.com | grep -i spf
"v=spf1 include:amazonses.com -all"
"v=spf1 include:authsmtp.com include:aspmx.googlemail.com include:_spf.google.com include:mailgun.org ~all" -
syntax error >>
shimano.com
$ dig txt +short shimano.com | grep -i spf
"v=spf1 mx a: ip4:8.7.144.24 include:mailgun.org include:zcsend.net ~all"
Hint: presence of a: made the SPF record invalid
3/ the SPF DNS record is present and is syntactically correct >> in this case the server will perform the action instructed by the SPF policy mentioned into the DNS record and there are no options to choose from
When our clients do not like to be bothered by “no delivery reports” from their remote parties our usual recommendation is to enable only SPF on MailFrom and to choose Deliver the message for both cases mentioned above (at 1/ and 2/).
HTH,
Ioan