Hi,

is there a SPF fail for this e-mail?

Because trusted senders need at least SPF to be valid or not set.

SR

Where can I find the setting of the SPF configuration to be set as valid or not set?

Thanks

It's not a setting, it's the result of the SPAM check. It checks if the ip address of the sender is valid for the configured SPF entry for the sender domain.

If this check fails the trusted sender thing is not effective.

Based on the SPF check with MXTools, the email passed the SPF check. The domain was also added as trusted domain. Yet it still went into the Junk Folder.

This is what is shown on the Email header:

X-SmarterMail-Spam: Reverse DNS Lookup [Passed], SpamAssassin 0 [raw: 0], SPF_Pass, DK_None, DKIM_Fail
X-SmarterMail-TotalSpamWeight: 20 (Trusted Sender - User, failed DKIM) 

The answer is in your reply :)

X-SmarterMail-TotalSpamWeight: 20 (Trusted Sender - User, failed DKIM)  

as for SPF it also needs DKIM to pass to take trusted sender into account.

So to resolve, modify the domains spam settings or disable DKIM checks on the mail server.

Does that mean even if the user trust the user and/or domain, but the email still fails the DKIM or the SPF records, it will still land in the Junk Folder?

Also, the DKIM setting is set as follows:

But the email header is as follows:

X-SmarterMail-Spam: Reverse DNS Lookup [Passed], SpamAssassin 0 [raw: 0], SPF_Pass, DK_None, DKIM_Fail
X-SmarterMail-TotalSpamWeight: 20 (Trusted Sender - User, failed DKIM)  

The TotalSpamWeight is 20 but the DKIM failed Weight is set to 30, why does the email failed in the DKIM check?

Also, what is the point of trusting an email user or domain when it is still processed by the DKIM or SPF check. Obliviously, the user knows that certain email accounts are to be their regular senders in which they do not want to see them landed in the Junk Folder. What is the better way to resolve this? 

Thanks 

While I can't answer for SmarterTools, I think they do it like this because they assume that a mail failing the SPF or DKIM checks means that it is probably be a spammer faking the from address/domain you added to trusted sender, which it could be.

Basically if the SPF or DKIM fails, the sender has to check his SPF/DKIM configuration and fix the issue on their side as anyway it would cause them troubles not only when sending message to your server.

The trusted sender is aimed to skip other spam checks that could lead to false positive, like for example mail content spam checks etc.

At least that's how I understood it.

Maybe it would be nice to have some settings to turn on/off the strict checking of SPF/DKIM for addresses/domain added in trusted senders, so you can choose how you want your server to act about this.

For the 30 DKIM score versus your 20 TotalSpamWeight, I have no idea. Maybe you have another rule that adds -10 ? or this is a bug.

Maybe ST staff can answer it.

 

@Sébastien Riccio 

You are correct, these checks basically can guarantee to us the server that sent us the email (SPF) was specifically allowed to send that email. By using one or both of these checks you guarantee that the person sending the email was the original person sending the email and not someone trying to imitate a trusted sender.

The reason we REQUIRE this... Spammers could actively abuse these holes to GUARANTEE that their malicious payloads are getting to their intended targets. Trusted sender gives a ton of trust to the sender and because of this amount of trust we can only trust an email that does not fail any of those 2 checks.

I support Sébastien Riccio  that SM should allow an option to bypass the DKIM and SPF check. This is because the user finds it irritating that such option to trust an email user but still landed in the Junk Folder. This defeats the purpose of trusting an email or a domain if there is still a check required for DKIM and SPF check. 

I am not sure if in other email server such as Office 365, the user can bypass such DKIM and SPF checks once the email account has been trusted.

The only way I could see that not going horribly wrong is if each trusted sender was given the ability to bypass the SPF and DKIM. Otherwise this literally gives a free pass for any third party actor to guarantee their malicious files and spam hits your business or customer. Honestly, I would not be able to sleep at night knowing that I have a huge passively-abused security hole such as this, especially if it could be applied to the entire server.

We actually had an bug internally that basically didn't fail bad DKIM/SPF trusted senders that originated from your contact list. Smartertools.com and our other various domains were hit massively by spam and we could not figure out why. Some of us were seeing 30+ messages a day from spammers. Ultimately we found they were spoofing themselves as commonly found usernames on the local domain. Thankfully we caught this before even going into BETA with the (trusted sender - contacts) feature. But this is just an anecdote of how bad ignoring DKIM/SPF can be.

Dear Matt,

Thanks for the feedback. But the problem is that the email accounts are from respectable banks in Singapore. They provide trusted service. We cannot control how they configure their SPF and DKIM but at least the user knows they are receiving from trusted users from certain domain. Whether if the domain or trusted user is spamming, it is up to the user to control. If it gets into way, we will then block the their trusted user manually.

It is strange that a serious Bank has issues with it's DKIM configuration.

Is the mail sent directly from the bank mailserver to your smartermail server or does it goes through intermediate servers (such as forwaring or incoming/outgoing gateways). Maybe the DKIM information is corrupted on the way?

You should probably get some more informations in the received mail headers.

Also, it may not be the Bank has issue on the DKIM configuration. We have reported to SM about the bugs found in the SPF months ago with a ticket and they could not find the problems. It is bugging and in future, if this continues, it will irritate our customers and we might just lose customers.

If you send me the header of the email, you can do this privately via DM on community, I can manually check their SPF/DKIM information and see if it is valid. There are no known issues in Current SM for SPF and DKIM.

Dear Matt, 

Actually, I have already logged a ticket on the SPF error since October 2018. The ticket has been going to and fro without any solution. You might want to look at the ticket.

Thanks