Overview
The users may receive similar Delivery Status Notification emails regarding SPF failures:
Delivery to the following recipients failed permanently:
Reason: There was an error while attempting to deliver your message with [Subject: "test"] to support@external_domain.com. MTA smtpa06-05.prod.phx3.secureserver.net received this response from the destination host IP - x.x.x.x - 550, 550 5.7.0 Please see http://www.openspf.net/why.html?sender=johndoe%40connect_domain.com
Information
The Sender Policy Framework (SPF) filter works very similarly to Caller ID, but it uses mechanisms and qualifiers. You can define authorized IPs based on the MX record, a record, or even SPF records of other domains. The qualifier is indicated at the end of the SPF record, and it is used to instruct the receiving server what to do with the email. These are the most common qualifiers:
Qualifier |
Result and Action |
Description |
+ |
Pass (Accept) |
The SPF record designates the host to be allowed to send. |
- |
Fail (Reject) |
The SPF record has designated the host as NOT being allowed to send. |
~ |
SoftFail (Accept but Mark) |
The SPF record has designated the host as NOT being allowed to send but is in transition. |
? |
Neutral (Accept) |
The SPF record specifies explicitly that nothing can be said about the validity. |
For Fail (or HardFail) SPF results, Kerio Connect can block the message, increase the spam score, or log it in the Security log. Kerio Connect does not block SoftFail, but it increases the spam score of emails. IP Address Groups can be excluded from the SPF check.
The SPF record is also created in the DNS as TXT records. Below is an example of an SPF record for the teamaviola.com domain: v=spf1 mx
ip4:45.76.50.17 -all
.
The qualifier used is the MX record, and the only authorized IP address is 45.76.50.17
. If Kerio Connect (with SPF enabled) receives an email from someone pretending to be from teamviola.com and sees that the MX is different, the qualifier dictates that the emails should be rejected.
Greylisting
Greylisting is an anti-spam method that temporarily rejects messages from unknown senders. Kerio Connects' implementation of Greylisting may be different from other anti-spam software such as GFI MailEssentials where it looks at the Triple (sender IP, sender email, and recipient email) to verify if an email should be greylisted or not. In Kerio Connect, we only look at the Sender IP address and check it against Kerio Greylisting servers.
With greylisting enabled, the following happens when Kerio Connect receives a message:
-
Kerio Connect contacts the greylisting server and provides information about the message. The greylisting server includes a list of trustworthy IP addresses.
-
If the list contains the message sender's IP, the message passes the greylisting check immediately.
-
If the list does not contain the sender's IP address, the greylisting server delays the delivery. A trustworthy mail server tries to redeliver messages later. Spam senders usually do not.
-
Once the message is received again, the Kerio Greylisting Service adds the sender's IP address to the whitelist. All future messages from this sender will pass the greylisting check immediately (see step 2).
NOTE: IP Address Groups can also be excluded from Greylisting.