Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Showing pass/fail of received-SPF (Showing pass/fail of received-SPF)
  •  
trifecta

Messages: 87
Karma: -2
Send a private message to this user
Can pass/fail SPF information be included in the message header, like in Yahoo or Gmail?


Received-SPF: pass (domain of skype.net designates 62.73.158.40 as permitted sender)

Received-SPF: pass (google.com: domain of bounces-3-30-5d-1c-59a67a-125b9<_at_>mx1....)

And while we're at the SPF topic, why were the incoming messages with no SPF record had not been rejected by SPF Spam filter that set to "Block the message"? Some of these messages were downloaded via Delivery service, some were received through SMTP.

Received-SPF: none (domain of domain.net does not designate permitted sender hosts)

-----------------
SPF Record Testing Tools
http://www.kitterman.com/spf/validate.html

[Updated on: Mon, 09 January 2012 21:53]

  •  
Radek Sip (Kerio)

Messages: 1137
Karma: 34
Send a private message to this user
We cannot block messages from domains without SPF record (I think 99% of domains), we can block messages where SPF is defined but IP address is not allowed -SPF failed. See Administrator's Guide for more.

Messages downloaded via POP3 client or ETRN are not checked to SPF, it should to do receiving SMTP server, not our POP3 client downloading currently delivered message.
Do not forget antispam features are not applied to trusted hosts, typically local network.
  •  
trifecta

Messages: 87
Karma: -2
Send a private message to this user
Radek Sip (KERIO) wrote on Tue, 10 January 2012 15:24
We cannot block messages from domains without SPF record (I think 99% of domains), we can block messages where SPF is defined but IP address is not allowed -SPF failed. See Administrator's Guide for more.

Messages downloaded via POP3 client or ETRN are not checked to SPF, it should to do receiving SMTP server, not our POP3 client downloading currently delivered message.
Do not forget antispam features are not applied to trusted hosts, typically local network.


At least, should Kerio added an Authentication-Results to the message header. Right now, I can't verify that email is coming from a trusted source for that domain without those information in the message header.

Something similar to this

Received-SPF: none (domain of xxxx.net does not designate permitted sender hosts)

and this

X-Originating-IP: [xx.xxx.xx.xxx]
Authentication-Results: mta1190.mail.sk1.yahoo.com from=xxxx.net; domainkeys=pass (ok); from=xxxx.net; dkim=pass (ok)


---------------
Right now these are all the information that Kerio could provided in the header.

Return-Path: <xxxx<_at_>xxxx.com>
X-Spam-Status: No, hits=0.0 required=4.0
tests=AWL: -1.616,BAYES_50: 1.567,HTML_MESSAGE: 0.001,
RDNS_NONE: 0,TOTAL_SCORE: -0.048,autolearn=no
X-Spam-Level:
Received: from bay0-omc1-s8.bay0.xxxx.com ([xx.xx.xxx.xx])
by xxxx.xxxx.com
for xxxxx<_at_>xxxx.com;
Sun, 29 Jan 2012 02:38:39 -0800
Received: from BAY167-DS38 ([xx.xx.xxx.xx]) by bay0-omc1-s8.bay0.xxxx.com with Microsoft SMTPSVC(6.0.3790.4675);
Sun, 29 Jan 2012 02:38:14 -0800
X-Originating-IP: [xx.xxx.xx.xxx]
X-Originating-Email: [xxxx<_at_>xxxx.com]
Message-ID: <BAY167-DS3821C50566476DCC96C691F88C0<_at_>xxxx.xxx>
Return-Path: xxxx<_at_>xxxx.com


  •  
TorW

Messages: 769
Karma: 8
Send a private message to this user
Good idea. I have suggested this as an idea in the feedback forum (via the admin interface). Now go and vote Wink
  •  
Radek Sip (Kerio)

Messages: 1137
Karma: 34
Send a private message to this user
  •  
trifecta

Messages: 87
Karma: -2
Send a private message to this user
Version 7.3.2 added the verification information in the header for DKIM/DomainKeys, but still left out the SPF. What are about the servers that only have the SPF records?

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=xxxx.com; s=s1024; t=1328730630; bh=ctbdTvHvEEGbQxYzBsCCuMwkfDJGOyWXLgFy1AajkHA=; h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:F rom:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Typ e; b=VXXk8/sW6g4MojzeeEhYSmC69hcRGHh8mv8+KT28T6/N6TKuOTFZGmQNm7 8R+pvNnIo/U0rFB/UMYdgm0V3r1ePPNx7Y6if/FfWXXWFR+77q9WMXFBCiVq IYhJ75Xxlc8ji4j7dvCdYnDFWf2H+UvV6k6xXf8X0yJh4bt0Isjf0=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=xxxx.com; ....

No SPF verification information to be found anywhere in the header.
  •  
Pavel Dobry (Kerio)

Messages: 4212
Karma: 129
Send a private message to this user
No, it does not. The headers were already in the email when it was received by the server.

Failed SPF (ie. sender with email domain that have SPF and the IP address does not match) is indicated in X-Spam-Status header. What is the reason of adding new SPF headers to the email? Can you please explain?

Knowledge Base: http://kb.kerio.com/.
Looking for technical support? http://www.kerio.com/support
  •  
trifecta

Messages: 87
Karma: -2
Send a private message to this user
Pavel Dobry (Kerio) wrote on Wed, 08 February 2012 22:43


Failed SPF (ie. sender with email domain that have SPF and the IP address does not match) is indicated in X-Spam-Status header. What is the reason of adding new SPF headers to the email? Can you please explain?


Could you please post a few email header examples that showed pass/failed SPF in the X-Spam_Status? I looked in there and I can't find anything that relevant to SPF records.

For example, when I looked at this X-Spam-Status, I can't tell whether it passed the SPF check or not

X-Spam-Status: No, hits=0.0 required=4.0
tests=AWL: 0.074,BAYES_00: -1.665,HTML_IMAGE_RATIO_02: 0.383,
HTML_MESSAGE: 0.001,MIME_HTML_ONLY: 0.001,RDNS_NONE: 0,
TOTAL_SCORE: -1.206,autolearn=no

This is the example of how it had been shown on

Yahoo! header

Received-SPF: none (domain of xxxx.net does not designate permitted sender hosts)
Received-SPF: pass (domain of xxxxxx.com designates xxx.xx.xx.xx as permitted sender)


and on Gmail header

Received-SPF: neutral (xxx.xx.xx.xx is neither permitted nor denied by domain of gmail.com)

They are all very clear and precised.

Thank you.

[Updated on: Wed, 08 February 2012 23:59]

  •  
TorW

Messages: 769
Karma: 8
Send a private message to this user
trifecta wrote on Wed, 08 February 2012 23:24

Could you please post a few email header examples that showed pass/failed SPF in the X-Spam_Status? I looked in there and I can't find anything that relevant to SPF records.

SPF checks will appear in the spam score summary only if you configure a spam score for failed SPF checks. Passed or unresolved SPF checks won't appear at all.

It will look like this (this is a real mail X-Spam-Status header from today):

X-Spam-Status: No, hits=0.0 required=4.7
	tests=SPF: 3.10,AWL: 0.114,BAYES_00: -2,
	HTML_MESSAGE: 0.001,LOC_NWORD: -1.2,RDNS_NONE: 0,
	TOTAL_SCORE: 0.015,autolearn=ham


This header was from a bulk mailing company which sends legitimate newsletters. This, and the fact that there are hundreds (if not thousands) of SPF record parsing error entries in warning.log every day, suggests that SPF is still a mystery for many mail admins.

That's why we need more visible debugging of SPF records, plus better handling of checks. Another MTA lets me handle SPF checks like this. I.e. I have to select one type of setup:

* Never do SPF lookups, don't create Received-SPF headers
* Only create Received-SPF headers, never block
* Use temporary errors when you have DNS lookup problems
* Reject mails when SPF resolves to fail (deny)
* Reject mails when SPF resolves to softfail
* Reject mails when SPF resolves to neutral
* Reject mails when SPF does not resolve to pass
Previous Topic: Failed POP3 login from <>
Next Topic: Archive folders
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Thu Oct 30 14:40:43 CET 2014

Total time taken to generate the page: 0.00709 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.