Skip to main content

SPF Settings

Sender Policy Framework (SPF) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain's administrators.[1] The list of authorized sending hosts for a domain is published in the Domain Name System (DNS) records for that domain in the form of a specially formatted TXT recordEmail spam and phishing often use forged "from" addresses, so publishing and checking SPF records can be considered anti-spam techniques. (See original source).

Set SPF Settings

  • Set SPF Enabled field to YES or NO in order to enable or disable SPF.

Setting SPF to NO will automatically disable DKIM if enabled.

  • Set the Logging Level field to a logging level of your choice. By default, it's set to Level 1.
    • Level 1 logs no debugging messages, just basic policy results and errors generated through the policy server.
    • Level 2 adds a log message if no client address (IP address from which the connection was made), Mail From address, or HELO/EHLO name is received by the policy server, and logs SPF results for each Mail From and HELO check.
    • Level 3 generates a log message each time the policy server starts and each time it exits, as well as logging a copy of the exact header returned to Postfix to be prepended into the message. Each time the policy server starts. Level 3 also logs the configuration information used by the policy server.
    • Level 4 logs the complete data set received by Postfix via the policy interface and when the end of the entry is read.
    • Level 5 is used to debug config file processing and, for this purpose, can only be set in code and not via the config file. It also provides additional internal status details generally of interest only to developers.
    • Level 0 server logs errors only.
    • Disabled logs nothing, not even error messages. This setting is NOT recommended.
  • Set the Test Mode to Enabled or Disabled. Setting it to Enabled Hermes SEG will NOT block any e-mail and simply generate logs.
  • Set the HELO Check Rejection Policy field to a setting of your choice. By default, it's set to Reject HELO Fail.
    • Reject HELO Fail rejects only on HELO Fail. HELO/EHLO is known first in the SMTP dialogue and there is no practical reason to waste resources on Mail From checks if the HELO check will already cause the message to be rejected. This should not cause interoperability problems when used for HELO.

    •  

      Reject All rejects if the SPF result is Fail, Softfail, Neutral, PermError. Unlike the Mail From Checking Policy, there are no standard e-mail use cases where a HELO check should not Pass if there is an SPF record for the HELO name (transparent forwarding, for example, is not an issue). HELO/EHLO is known first in the SMTP dialogue and there is no practical reason to waste resources on Mail From checks if the HELO check will already cause the message to be rejected. This is not consistent with the RFC 7208 requirement to treat none and neutral the same, but should not cause interoperability problems when used for HELO.

    • Reject Softfail rejects on HELO Softfail or Fail. HELO/EHLO is known first in the SMTP dialogue and there is no practical reason to waste resources on Mail From checks if the HELO check will already cause the message to be rejected. This should not cause interoperability problems when used for HELO.

    • Reject Null - rejects HELO Fail for Null sender (SPF Classic). This is the approach used by the pre-RFC 4408 reference implementation and many of the pre- RFC specifications. Use of at least this option (SPF_Not_Pass or Fail) are preferred) is highly recommended.

    • Append Only does NOT reject on HELO but instead appends header only. This is useful for post-SMTP spam filters such as SpamAssassin.

    • Disable Check does not check HELO. This is only recommended if you are calling the policy server twice (once for HELO checks and once for Mail From) with two different configuration files. This approach is useful to get both the HELO and Mail From headers prepended to a message.

  • Set the HELO Check Rejection POlicy to a setting of your choice. By default it's set to Reject Mail from Fail.
  • Set the Permanent Error Policy to a setting of your choice. By default it's set to False.
  • Set the Temporary Error Policy to a setting of your choice. By default it's set to False.