Anti-Spoofing SPF Based Bypass 

Document created by user.m8lcBwVNwY Expert on Apr 18, 2016Last modified by user.oxriBaJeN4 on Apr 5, 2017
Version 19Show Document
  • View in full screen mode

To ensure your internal users still receive messages sent by a trusted third party sent on your behalf, you can implement an Anti-Spoofing SPF Based Bypass policy. This ensures any Anti-Spoofing Policies you've configured are not applied.

Only one Anti-Spoofing SPF Based Bypass can apply to a specific mailflow. That bypass policy can contain as many domains as you require.

What You'll Need


  • An Administration Console logon with access to the ServicesGateway | Policies menu item.


Creating a Policy


To create a policy, follow the instructions in the Creating / Changing a Policy article, but using the following options.


Policy NarrativeProvide a description for the policy to allow you to easily identify it in the future.
Select Option

Select whether to enable or disable the bypass policy. If enabled, none of the Anti-Spoofing policies will be applied if the inbound IP address is referenced on any of the SPF records of the domains specified in the “When IP matches SPF records of” field.

When IP Matches SPF Record of

Specify the domain names whose SPF records should be checked to see if the connecting IP address has been referenced. This acts as a policy condition if an SPF check for the connection IP address results in a “Pass” or “Success” for any of the entered domains. The bypass is then applied if the communication pair matches the policy "from" and "to" configuration.

Applies From

Set to a value of from "Everyone" to "Everyone" as long as the value entered in the "When IP Matches SPF Record of" field matches the domain.

Applies To

We recommend you do not enter domains that have a “+all” qualifier in their SPF record, and to always validate the domain’s SPF records

prior to entering the domain. See the Sender Policy Framework Project Overview page for more information about qualifiers.

Please note that due to limitations within the algorithm used to validate SPF records. Any SPF record that has 10 or more terms (include, redirect etc), can cause the Anti Spoofing SPF Based Bypass to not apply, should the sender be using an IP address that is contained within an entry that is processed after the 10th term the SPF check will fail.


This scenario can occur for organizations that use multiple 3rd party services to send on the behalf of the domains they control.

Bypass Policy.png


Definition Required?



4 people found this helpful