disabled
Enable Sender Policy Framework Validation as described at openspf and Domain-based Message Authentication, Reporting & Conformance - described in DMARC (DMARC requires also DoDKIM to be enabled).
This requires an installed Mail::SPF module in PERL. Testmode is set with spfTestMode, scoring is set with spfValencePB. If you need more information about the syntax of SPF records, visit SPF_Record_Syntax.
Do SPF Version 2 Validation (SPF2) •
Enable Sender Policy Framework Validation Version 2.
This requires an installed Mail::SPF object-oriented Perl module that supersedes the old Mail::SPF::Query module.
Whitelisted SPF Validation (SPFWL) •
Enable Sender Policy Framework Validation for whitelisted users also.
noProcessing SPF Validation (SPFNP) •
Enable Sender Policy Framework Validation for nonprocessed messages also.
Local and outgoing mail SPF Validation (SPFLocal) •
Enable Sender Policy Framework Validation for local and outgoing messages also. Don't forget to configure your DNS-server for SPF and/or to configure SPFoverride / SPFfallback / SPFlocalRecord, if you enable this option.
Enable SPF Background Check (enableSPFbackground) •
SPF background checks are initiated by some features (for example DoDomainIP) to fillup the SPFCache. The collected results are later used to prevent blocking good mails.
Add Received-SPF Header (AddSPFHeader) •
Add Received-SPF header to header of all mails processed by SPF.
SPF Failed Reply (SPFError) • 554 5.7.1 failed SPF: SPFRESULT
SMTP reply for SPF failed messages. Default: '554 5.7.1 failed SPF: SPFRESULT' The literal SPFRESULT (case sensitive) is replaced by the actual result.
Skip SPF Processing* (noSPFRe) • 10.|194.25.134.
Put anything here to identify these messages in mailfrom or header
Override Domains* (SPFoverride) •
Set override to define SPF records for domains that do publish but which you want to override anyway. If you specify only domains the Local SPF Record ( SPFlocalRecord ) below will be used as default. Wildcards are supported. For example: abc.com=>v=spf1 a/24 mx/24 ptr -all|cello.ch=>v=spf1 ip4:213.46.243.0/26 ~all|abc.com|*.def.com .
To generate a SPF record for a domain: - go to http://www.senderbase.org
- lookup the domain information in "Look up your network"
- right beside "Addresses in domain used to send email" click on export, and export the list in to plain text - copy and past the list in to an editor and generate a comma separated IP list
- go to an online SPF record generator - for example: http://www.royhochstenbach.com/projects/spfgenerator and generate the SPF record
- put "domain=>SPF-record" in any of SPFoverride or SPFfallback - define the policy as strict as possible
Fallback Domains* (SPFfallback) •
Set fallback to define "pretend" SPF records for domains that don't publish them yet. If you specify only domains the Local SPF Record ( SPFlocalRecord ) below will be used as default. Wildcards are supported. For example: abc.com=>v=spf1 a/24 mx/24 ptr -all|cello.ch=>v=spf1 ip4:213.46.243.0/26 ~all|abc.com|*.def.com
Local SPF Policy (LocalPolicySPF) • v=spf1 10/8 a/24 mx/24 ~all
If the sending domain does not publish its own SPF Records this will be used. The default is v=spf1 a/24 mx/24 ptr ~all
This option applies to Mail::SPF::Query module only.
Fallback/Override SPF Record (SPFlocalRecord) • v=spf1 a/24 mx/24 ptr -all
Used in Fallback/Override Domains The default is v=spf1 a/24 mx/24 ptr -all
Strict SPF Processing Regex* (strictSPFRe) •
@gmail.com|@hotmail.com|@msn.com|@live.com|@aol.com|@ebay.com|@ebay.nl|@bbt.com|@paypal.com|@einsundeins.de|@microsoft.com|rr.com|veritate.com
Softfail/Neutral will be failed for these sending addresses. Put anything here to identify the addresses
Block SPF Processing Regex* (blockstrictSPFRe) • @ebay.com|@paypal.com
All failed messages will be blocked for these sending addresses. Put anything here to identify the addresses.
Additional SPF Check on the Header from (DoSPFinHeader) •
Do an additional SPF check on the header from: address if it is in blockstrictSPFRe *** this check breakes RFC rules ***.
Fail SPF Softfail Validations (SPFsoftfail) •
Intentionally fail SPF softfail status responses. The possible results of a query are:
pass:The client IP address is an authorized mailer for the sender. The mail should be accepted subject to local policy regarding the sender.
fail:The client IP address is not an authorized mailer, and the sender wants you to reject the transaction for fear of forgery. softfail:The client IP address is not an authorized mailer, but the sender prefers that you accept the transaction because it isn't absolutely sure all its users are mailing through approved servers. The softfail status is often used during initial deployment of SPF records by a domain.
neutral:The sender makes no assertion about the status of the client IP. none:There is no SPF record for this domain.
permerror & temperror:The DNS lookup encountered an error during processing.
unknown:The domain has a configuration error in the published data or defines a mechanism that this library does not understand.
Fail SPF Neutral Validations (SPFneutral) •
Intentionally fail SPF neutral status responses
Fail SPF Error Responses (SPFqueryerror) •
Intentionally fail SPF 'error' status responses
Fail SPF None and Unknown Responses (SPFnone) •
Intentionally fail SPF 'none' and 'unknown' status responses
Fail SPF Unknown Responses (SPFunknown) •
Intentionally fail SPF 'unknown' status responses
SPF Cache Refresh Interval (SPFCacheInterval) • 7
SPF records in cache will be removed after this interval in days. 0 will disable the cache. Show SPF Cache
Enable SPF/DNS Debug output to ASSP Logfile (DebugSPF) •
Enables verbose debugging of SPF/DNS/Whois/Senderbase queries within the Mail::SPF and Net::DNS modules.
Notes On SPF
Notes
From Address for DMARC Reports (DMARCReportFrom) •
The email address to be used as FROM: address to send DMARC reports. If blank, no DMARC reports will be sent! If only the user name is defined, assp will add the domain name that belongs to the report.
Don't send DMARC reports to these Addresses/Domains* (noDMARCReportDomain) •
Put any DMARC report recipient domain or address (ruf/rua) in to this list - for example if DMARC reports could be never delivered for any reason.
Accepts specific addresses ([email protected]), user parts (user) or entire domains (@example.com). Wildcards are supported (fribo*@example.com).
Enable Sender Rewriting Scheme (EnableSRS) •
Enable Sender Rewriting Scheme as described at www.openspf.org/SRS. This requires an installed Mail::SRS module in PERL.
You should use SRS if your message handling system forwards email for domains with published spf records and there SPF record not includes your MX.
NOTICE: In case your local users are forwarding mails (e.g. from external domains) to external domains (external mail accounts) and these foreign domains bounces back (e.g. out_of_office / vacation), your MTA (smtpDestination) will possibly get mails from external domains to be deliverd to external domains!
Note that you have to setup the outgoing path (Relay Host and Port) to let ASSP see and rewrite your outgoing traffic. Testmode is set with srsTestMode.
thisdomain.com
SPF requires the SMTP client IP to match the envelope sender (return-path). When a message is forwarded through an intermediate server, that intermediate server may need to rewrite the return-path to remain SPF compliant. For example: thisdomain.com
Secret Key (SRSSecretKey) •
A key for the cryptographic algorithms -- Must be at least 5 characters long.
Maximum Timestamp Age (SRSTimestampMaxAge) • 21
Enter the maximum number of days for which a timestamp is considered valid. Default is 2 days. After this number of days a SRS bounce is no longer valid!
Hash Length (SRSHashLength) • 4
The number of bytes of base64 encoded data to use for the cryptographic hash.
More is better, but makes for longer addresses which might exceed the 64 character length suggested by RFC2821. This defaults to 6, which gives 6 x 6 = 36 bits of cryptographic information, which means that a spammer will have to make 2^36 attempts to guarantee forging an SRS address.
Enable Bounce Recipient Validation (SRSValidateBounce) • block
Bounce messages that fail reverse SRS validation (but not a valid SMTP probe) will receive a 554 5.7.5 [Bounce address not SRS signed] SMTP error code. Testmode is set with srsTestMode, scoring is set with srsValencePB.
Don't Rewrite These Addresses* (SRSno) •
Don't rewrite addresses when messages come from these addresses. Accepts specific addresses ([email protected]), user parts (user) or entire domains (@domain.com).
For example: [email protected]|jhanna|@sillyguys.org
Don't Validate Bounces From these IPs* (noSRS) •
Enter IP addresses that you don't want to validate bounces from, separated by pipes (|). For example: 127.0.0.1|172.16..
Notes On SRS
DNSBL