Configuring Anti-Spoofing SPF Based Bypass Policies

Document created by user.m8lcBwVNwY Employee on Apr 18, 2016Last modified by user.Yo2IBgvWqr on Jun 8, 2018
Version 23Show Document
  • View in full screen mode

Anti-Spoofing SPF Based Bypass policies allow 'spoofed' inbound messages through to end users that you consider to be legitimate. This could include emails generated from web servers that hold your domain name, or a trusted third party system that generates emails using an internal email address.


Usage Considerations


Consider the following before creating a policy:

  • Only one Anti-Spoofing SPF Based Bypass policy can apply to a specific mail flow, but it can contain many domains.
  • Don't enter domains with a “+all” qualifier in their SPF record, and always validate a domain’s SPF records prior to entering it in the policy. See the Sender Policy Framework Project Overview page for more information about qualifiers.

  • If you want to allow your company domain / email address to be included in the Anti-Spoofing Bypass policy, you must specify the internal address / domain that you will allow to be spoofed. In this case, you should not also be listing the external sending address that may also be appearing in the sending header / envelope.

There are limitations in the algorithm used to validate SPF records. If an SPF record has 10+ terms (include, redirect etc) an Anti Spoofing SPF Based Bypass policy does not apply. If a sender is using an IP address contained in an entry processed after the 10th term, the SPF check fails. This can occur for organizations that use multiple 3rd party services to send mail containing their company domain name.

Configuring an Anti-Spoofing SPF Based Bypass Policy


To configure an Anti-Spoofing SPF Based Bypass policy:

  1. Log on to the Administration Console.
  2. Click on the Administration menu item. A menu drop down is displayed.
  3. Click on the Gateway | Policies menu item. The Gateway Policy Editor is displayed
  4. Click on Anti-Spoofing SPF Based Bypass. A list of policies is displayed.
  5. Either select the:
    • Policy to be changed.
    • New Policy button to create a policy.
  6. Complete the Options section as required:
    Policy NarrativeProvide a description for the policy to allow you to easily identify it in the future.
    Select Option

    Select whether to enable or disable the bypass policy. If enabled, none of the Anti-Spoofing policies will be applied if the inbound IP address is referenced on any of the SPF records of the domains specified in the “When IP matches SPF records of” field.

    When IP Matches SPF Record of

    Specify the domain names whose SPF records should be checked to see if the connecting IP address has been referenced. This acts as a policy condition if an SPF check for the connection IP address results in a “Pass” or “Success” for any of the entered domains. The bypass is then applied if the communication pair matches the policy "from" and "to" configuration.

    Applies From

    Set to a value of from "Everyone" to "Everyone" as long as the value entered in the "When IP Matches SPF Record of" field matches the domain.

    Applies To
  7. Complete the Emails From and Emails To sections as required:
    Field / OptionDescription
    Addresses Based OnSpecify the email address characteristics the policy is based on. This option is only available in the "Emails From" section:
    BothApplies the policy based on either the Mail Envelope From or the Message Header From, whichever matches. If both match the specified value the Message Header From is used.
    Applies From / ToSpecify the Sender characteristics the policy is based on. For multiple policies, you should apply them from the most to least specific. The options are:
    EveryoneIncludes all email users (i.e. internal and external). This option is only available in the "Emails From" section.
    Internal AddressIncludes only internal organization addresses.
    External AddressIncludes only external organization addresses. This option is only available in the "Emails From" section.
    Email DomainEnables you to specify a domain name to which this policy is applied. The domain name is entered in the Specifically field.
    Address GroupsEnables you to specify a directory or local group. If this option is selected, click on the Lookup button to select a group from the Profile Group field. Once a group has been selected, you can click on the Show Location field to display the group's path.
    Address AttributesEnables you to specify a predefined Attribute. The attribute is selected from the Where Attribute drop down list. Once the Attribute is specified, an attribute value must be entered in the Is Equal To field. This can only be used if attributes have been configured for user accounts.
    Individual Email AddressEnables you to specify an SMTP address. The email address is entered in the Specifically field.
  8. Complete the Validity section as required:
    Field / OptionDescription
    Enable / DisableUse this to enable (default) or disable a policy. If a date range has been specified, the policy will automatically be disabled when the end of the configured date range is reached.
    Set Policy as PerpetualIf the policy's date range has no end date, this field displays "Always On" meaning that the policy never expires.
    Date RangeUse this field to specify a start and / or end date for the policy. If the Eternal option is selected, no date is required.
    Policy OverrideThis overrides the default order that policies are applied. If there are multiple applicable policies, this policy is applied first unless more specific policies of the same type are configured with an override.
    Bi-DirectionalIf selected the policy is applied when the policy's recipient is the sender, and the sender is the recipient.
    Source IP Ranges (n.n.n.n/x)Enter any required Source IP Ranges for the policy. These only apply if the source IP address used to transmit the message data, falls inside or matches the range(s) configured. IP ranges should be entered in CIDR notation.
  9. Click on the Save and Exit button.


See Also...


4 people found this helpful