Whitelist a domain from SPF checks

[Russ 0]

I have a customer with an invalid SPF record, which (as expected) causes they messages to be rejected. As yet I've not been able to get them to fix it, so would like to have their domain white-listed from the check, but so far I've been unsuccessful in getting this configured.

 

I have added their domain to the following white-lists:

 

• Approved Senders list
• Approved domain to IP list
• Domain to IP white-list (under the greylist/SPF heading)

 

I have also created a transport rule for messages from their domain that fail the SPF check to skip the anti-spam scan, but neither of these things has helped.

 

What should I be doing to ensure this mail is delivered, or is it simply not possible to allow for a bad SPF record?

 

Many thanks!

[filips 44]

Hi Russ,

SPF uses only IP whitelists (or domain to IP). Approved senders list is not used in SPF, it applies only to antispam. The domain to IP lists should work - you could compare resolved IP addresses in GUI with connecting IP (maybe it wasn't resolved?). The rule you created didn't work because if "Automatically reject messages if SPF fails" is enabled, SPF is evaluated right on MAIL FROM command and if it fails, message is rejected right away and no rules/antispam are evaluated.

To handle SPF in rules disable setting "Automatically reject messages if SPF fails" and then create a rule. It could look like:

Condition 1 - Sender's IP address is not (list of customer's IPs)
Condition 2 - SPF result is Failed
Action - Reject message (You should test it with "Log to events" action first to see if it works correctly)

or a simple version (but this one will not protect against spoofing of their own domain)
Condition 1 - Sender's domain is not mydomain.com
Condition 2 - SPF result is Failed
Action - Reject message

Edited August 17, 2018 by filips