Certifying Outbound Messages
HELO/EHLO
4.3.4 Sender Policy Framework (SPF)
Sender Policy Framework (SPF) is an open standard used to identify forged sender addresses in email messages. Specifically it protects the domain found in the SMTP envelope sender address, or return path. It does this by checking the domain's DNS record for an SPF policy to find out exactly which mail hosts are permitted to send messages on the domain's behalf. If the domain has an SPF policy and the sending host is not listed in that policy, then you can know that the address if forged.
For more on SPF, visit: www.openspf.org Configuration
Verify sending host using SPF
By default, SecurityGateway will check the sending domain's DNS record to see if the
sending host has the authority to send email on its behalf. This uses the domain found in the MAIL value passed during SMTP processing. Clear this checkbox if you do not wish to use SPF processing.
When SPF processing returns a HARD FAIL result:
The following action will be taken when SPF processing of a message results in a HARD FAIL.
...refuse the message
By default messages receiving a HARD FAIL will be refused during the SMTP process.
...quarantine the message
Choose this option if you wish to quarantine messages that receive a HARD FAIL.
...accept the message
If you wish to accept messages that receive a HARD FAIL, choose this option.
You can then insert some text into the message's subject and modify its Message Score.
...tag the subject with [ text ]
When you have configured SecurityGateway to accept a message that receives a HARD FAIL result, enable this option and specify some text if you wish to add something to the beginning of the message's Subject header. If enabled, the default text added to the subject is: "*** FRAUD ***". With this option you could leave it to the recipient's mail server or client to filter the message based on the tag. This option is disabled by default.
There are a number of other places within SecurityGateway where you can optionally add text to the Subject header. For example, the DKIM Verification and Message Scoring pages also have this option. When the designated text in these options matches, the tag will only be added to a message's subject once even if that message meets the criteria under each option. If, however, the text differs between the options, then each unique tag will be added. For example, the default text in this option is "*** FRAUD ***"
but the default text in Message Scoring is "*** SPAM ***".
Because the two tags are different, both would be added to messages matching the criteria of both options. But, if you changed the text in one of the options to be identical to the other one, then the tag would be added only once.
...add [xx] points to message score
By default, when you have configured SecurityGateway to accept a message that receives a HARD FAIL result, this value is added to its Message Score. If the final score is high enough then that could cause the message to be quarantined or refused, depending on your Message Scoring settings. The default value for this option is 5.0.
118 109
109
When SPF processing returns a SOFT FAIL result:
The following action will be taken when SPF processing of a message results in a SOFT FAIL.
...refuse the message
Click this option if want messages receiving a SOFT FAIL to be refused during the SMTP process.
...quarantine the message
Choose this option if you wish to quarantine messages that receive a SOFT FAIL.
...accept the message
By default, messages that receive a SOFT FAIL will be accepted, but you can then insert some text into the message's subject and modify its Message Score.
...tag the subject with [ text ]
When SecurityGateway is configured to accept a message that receives a SOFT FAIL result, enable this option and specify some text if you wish to add something to the beginning of the message's Subject header. If enabled, the default text added to the subject is: "*** FRAUD ***". With this option you could leave it to the recipient's mail server or client to filter the message based on the tag. This option is disabled by default.
...add [xx] points to message score
By default, when you have configured SecurityGateway to accept a message that receives a SOFT FAIL result, this value is added to its Message Score. If the final score is high enough then that could cause the message to be quarantined or refused, depending on your Message Scoring settings. The default value for this option is 2.0.
When SPF processing returns a PASS result:
...add [xx] points to message score
Click this option if you wish to adjust the Message Score when SPF processing of a message results in a PASS. This should be a negative number so the the score will be reduced, thus giving it a beneficial adjustment.
Exclusions
Exclude messages from whitelisted IP addresses
Click this checkbox if you wish to exclude the sender from SPF processing when its IP address appears on the whitelist. This option is disabled by default.
Exclude messages from authenticated sessions
When the incoming message is using an authenticated session it will be excluded from the SPF processing requirement by default. Clear this option if you wish to use SPF processing even when the SMTP session was authenticated.
Exclude messages from domain mail servers
Messages coming from one of your domain mail servers will be exempt from SPF processing by default. Clear this checkbox if you do not wish to exclude domain mail
109
52
servers from SPF requirements.
Advanced
Insert 'Received-SPF' header into messages
By default a "Received-SPF" header is inserted into each message, containing the SPF results for the message. Clear this checkbox if you do not wish to insert this header.
...except when the SPF result is 'none'
By default, no "Received-SPF" header is inserted when the result of an SPF lookup is "none." Uncheck this option if you wish to insert the header even if no SPF data is found for the sender's domain.
Exceptions - Domains
If you select a specific domain in the "For Domain:" drop-down list box at the top of the page when configuring these settings, that domain will be listed here after saving the settings. Click the View/Edit link for the corresponding domain to review or edit its SPF settings, or click Reset to reset the domain's settings to the default Global values.
4.3.5 Sender ID
The Sender ID Framework is an email authentication protocol that is used to verify that a message originated from the domain from which it claims to have been sent. Similar to Sender Policy Framework (SPF) , Sender ID checks the domain's DNS record for a list of hosts that are permitted to deliver mail on its behalf. If the host that is delivering the message isn't listed there then you can know that the sender's address is forged.
For more on Sender ID, visit the Sender ID Home Page at Microsoft.com.
Configuration
Verify sending host using Sender ID
Enable this option if you wish to use the Sender ID Framework to verify incoming messages. SecurityGateway will identify the Purported Responsible Address (PRA) of the incoming message through inspection of its headers and then verify whether or not the message originated from that location. The PRA is the most recent address purported to be responsible for the message, which may or may not be its original sender. Sender ID verification is enabled by default.
When Sender ID processing returns a HARD FAIL result:
The following action will be taken when Sender ID processing of a message results in a HARD FAIL.
...refuse the message
By default messages receiving a HARD FAIL will be refused during the SMTP process.
123
...quarantine the message
Choose this option if you wish to quarantine messages that receive a HARD FAIL.
...accept the message
If you wish to accept messages that receive a HARD FAIL, choose this option.
You can then insert some text into the message's subject and modify its Message Score.
...tag the subject with [ text ]
When you have configured SecurityGateway to accept a message that receives a HARD FAIL result, enable this option and specify some text if you wish to add something to the beginning of the message's Subject header. If enabled, the default text added to the subject is: "*** FRAUD ***". With this option you could leave it to the recipient's mail server or client to filter the message based on the tag. This option is disabled by default.
There are a number of other places within SecurityGateway where you can optionally add text to the Subject header. For example, the DKIM Verification and Message Scoring pages also have this option. When the designated text in these options matches, the tag will only be added to a message's subject once even if that message meets the criteria under each option. If, however, the text differs between the options, then each unique tag will be added. For example, the default text in this option is "*** FRAUD ***"
but the default text in Message Scoring is "*** SPAM ***".
Because the two tags are different, both would be added to messages matching the criteria of both options. But, if you changed the text in one of the options to be identical to the other one, then the tag would be added only once.
...add [xx] points to message score
By default, when you have configured SecurityGateway to accept a message that receives a HARD FAIL result, this value is added to its Message Score. If the final score is high enough then that could cause the message to be quarantined or refused, depending on your Message Scoring settings. The default value for this option is 5.0.
When Sender ID processing returns a SOFT FAIL result:
The following action will be taken when Sender ID processing of a message results in a SOFT FAIL.
...refuse the message
Click this option if want messages receiving a SOFT FAIL to be refused during the SMTP process.
...quarantine the message
Choose this option if you wish to quarantine messages that receive a SOFT FAIL.
118 109
109
...accept the message
By default, messages that receive a SOFT FAIL will be accepted, but you can then insert some text into the message's subject and modify its Message Score.
...tag the subject with [ text ]
When SecurityGateway is configured to accept a message that receives a SOFT FAIL result, enable this option and specify some text if you wish to add something to the beginning of the message's Subject header. If enabled, the default text added to the subject is: "*** FRAUD ***". With this option you could leave it to the recipient's mail server or client to filter the message based on the tag. This option is disabled by default.
...add [xx] points to message score
By default, when you have configured SecurityGateway to accept a message that receives a SOFT FAIL result, this value is added to its Message Score. If the final score is high enough then that could cause the message to be quarantined or refused, depending on your Message Scoring settings. The default value for this option is 2.0.
When Sender ID processing returns a PASS result:
...add [xx] points to message score
Click this option if you wish to adjust the Message Score when Sender ID
processing of a message results in a PASS. This should be a negative number so the the score will be reduced, thus giving it a beneficial adjustment.
Exclusions
Exclude messages from whitelisted IP addresses
Click this checkbox if you wish to exclude the sender from Sender ID processing when its IP address appears on the whitelist . This option is disabled by default.
Exclude messages from authenticated sessions
When the incoming message is using an authenticated session it will be excluded from the Sender ID processing requirement by default. Clear this option if you wish to use Sender ID processing even when the SMTP session was authenticated.
Exclude messages from domain mail servers
Messages coming from one of your domain mail servers are exempt from Sender ID by default. Clear this checkbox if you do not wish to exclude domain mail servers from Sender ID requirements.
Advanced
Interpret 'v=spf1' records as 'spf2.0/mfrom,pra'
Sender ID prefers SPF 2.0 records. However, by default when no SPF 2.0 records are found, Sender ID will attempt to use SPF 1 data and retask it for Sender ID
purposes. Ordinarily you should leave this option enabled, but if you do not wish to allow Sender ID to interpret SPF 1 records in this way then you can disable it by clearing the option.
109
165
52
Exceptions - Domains
If you select a specific domain in the "For Domain:" drop-down list box at the top of the page when configuring these settings, that domain will be listed here after saving the settings. Click the View/Edit link for the corresponding domain to review or edit its Sender ID settings, or click Reset to reset the domain's settings to the default Global values.