To ensure your internal users still receive messages sent by a trusted third party sent on your behalf, you can implement an Anti-Spoofing SPF Based Bypass policy. This ensures any Anti-Spoofing Policies you've configured are not applied.
What You'll Need
- An Administration Console logon with access to the Services | Gateway | Policies menu item.
Creating a Policy
To create a policy, follow the instructions in the Creating / Changing a Policy article, but using the following options.
|Policy Narrative||Provide a description for the policy to allow you to easily identify it in the future.|
Select whether to enable or disable the bypass policy. If enabled, none of the Anti-Spoofing policies will be applied if the inbound IP address is referenced on any of the SPF records of the domains specified in the “When IP matches SPF records of” field.
|When IP Matches SPF Record of|
Specify the domain names whose SPF records should be checked to see if the connecting IP address has been referenced. This acts as a policy condition if an SPF check for the connection IP address results in a “Pass” or “Success” for any of the entered domains. The bypass is then applied if the communication pair matches the policy "from" and "to" configuration.
Set to a value of from "Everyone" to "Everyone" as long as the value entered in the "When IP Matches SPF Record of" field matches the domain.
We recommend you do not enter domains that have a “+all” qualifier in their SPF record, and to always validate the domain’s SPF records
prior to entering the domain. See the Sender Policy Framework Project Overview page for more information about qualifiers.
Please note that due to limitations within the algorithm used to validate SPF records. Any SPF record that has 10 or more terms (include, redirect etc), can cause the Anti Spoofing SPF Based Bypass to not apply, should the sender be using an IP address that is contained within an entry that is processed after the 10th term the SPF check will fail.
This scenario can occur for organizations that use multiple 3rd party services to send on the behalf of the domains they control.