SPF and DKIM

SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) are used as validation methods to check that an incoming email message claimed to come from a specific domain was authorized by the owner of that domain. This helps protect recipients from receiving spoofed email messages. ESET Mail Security also uses DMARC (Domain-based Message Authentication, Reporting and Conformance) evaluation to further enhance upon SPF and DKIM.

SPF check is performed to verify if an email was sent by a legitimate sender. A DNS lookup for SPF records of the sender's domain is performed to get a list of IP addresses. If any of the IP addresses from SPF records matches the actual IP address of the sender, the result of the SPF check is a Pass. If the sender's actual IP address does not match, the result is a Fail. However, not all domains have SPF records specified in DNS. If there are no SPF records present in DNS, the result is Not available. A DNS request may timeout occasionally, in which case the result is also Not available.

DKIM is used by organizations to prevent email message spoofing by adding a digital signature to the headers of outgoing messages according to the DKIM standard. This involves using a private domain key to encrypt your domain's outgoing mail headers, and adding a public version of the key to the domain's DNS records. ESET Mail Security can then retrieve the public key to decrypt incoming headers and verify that the message really comes from your domain and its headers hasn't been changed along the way.

note_icon_note NOTE

Exchange Server 2010 and older are not fully compatible with DKIM, because headers included in digitally signed incoming messages may get modified during DKIM validation.

DMARC is built on top of the two existing mechanisms, SPF and DKIM. You can use Mail Transport protection rules to evaluate DMARC result and Apply DMARC policy action.

spf_and_dkim

Auto detect DNS servers - Uses settings of your network adapter.

DNS server IP address - If you want to use specific DNS servers for SPF and DKIM, enter the IP address (in IPv4 or IPv6 format) of the DNS server you want to use.

DNS query timeout (seconds) - Specify timeout for DNS reply.

Automatically reject messages if SPF check failed - If your SPF check results in an immediate fail, an email message can be rejected before it is downloaded.

note_icon_example EXAMPLE

SPF check is done on the SMTP layer. However, it can be rejected either automatically on the SMTP layer or during rules evaluation.

It is not possible to log rejected messages into the Events log if you use automatic rejection on the SMTP layer. This is because logging is done by rule action and the automatic reject is done directly on the SMTP layer which happens before rule evaluation. Since the messages will get rejected before rules are evaluated, there is no information to be logged at the time of rule evaluation.

You can log rejected messages, but only if you reject the messages by a rule action. To reject messages that did not pass SPF check and log such rejected messages, disable Automatically reject messages if SPF check failed and create the following rule for Mail transport protection:

Condition

Type: SPF result
Operation: is
Parameter: Failed

Actions

Type: Reject message
Type: Log to events

Use From: header if MAIL FROM is empty - The header MAIL FROM can be empty, and can also be easily spoofed. When this option is enabled and MAIL FROM is empty, the message is downloaded and the header From: is used instead.

Automatically bypass Greylisting if SPF check passed - There is no reason to use Greylisting for a message if its SPF check result was Pass.

SMTP reject response - You can specify a Response code, Status code and Response message which define the SMTP temporary denial response sent to the SMTP server if a message is refused. You can enter a response message in the following format:

Response code

Status code

Response message

550

5.7.1

SPF check failed

note_icon_note NOTE

If running Microsoft Exchange Server 2003 and 2003 R2 or SBS 2003 and SBS 2003 R2, some of the SPF and DKIM options are not available.