spam filtering services fail spf check
Question asked by Russ Michaels - March 10, 2016 at 5:36 AM
Since we tweaked our spam settings to reject any mail which fails an SPF check, we have started to get complaints from customers who are using a mail filtering service, such as barracuda.
I had rather expected that the anti-spam checks would be smart  enough to check the ORIGINAL sender IP and not the IP of  the anti-spam gateway,  is this not the case ?
Do I really have to go through and whitelist every spam filter service to avoid this problem, or am I missing somehting ?

2 Replies

Reply to Thread
Merle Wait Replied
Not sure I understand.  The inbound email's -domain  From:  - is validated against the sending SPF framework for that same domain.right? (so the filtering on SmarterMail - should match what, say... 
On our own settings for SPF and spam settings... we take that into consideration.... but don't flunk those that fail SPF; because there are ALOT of major companies / email providers - that flunk their own SPF.
I have had trouble with Barracuda and our outgoing mail before.... but it was a matter of lining up the SPF approved I/Ps for the outbound servers  vs. the SPF record.
Russ Michaels Replied
I cannot really manually validate the spf record of every domain that sends them mail. But use of mail filtering services is very common, the mail is delivered to the filtering service and then forwarded to the actual mail server. But this obviously results in the sender IP showing as the filtering server and not the original ISP, and so fails the SPF check. So my point was that the original seder IP should be in the headers, so smartermail really should pick this up that it is being forwarded by a gateway and not fail the spf check

problem is that if you do not block mail which has an SPF record but fails the test, then it is pretty much pointless even using SPF as the mail is just let through anyway, and this makes a huge difference to the amount of spam received.

Reply to Thread