As default, SPF checking on inbound email is not performed by EveryCloud. However, it can be enabled by our support team - we offer 2 levels of SPF checking. 


To setup inbound SPF checking, please firstly ensure that you have published a TXT/SPF record, which authorizes our mail relays to send on behalf of your domain. The TXT/SPF record will be required for each domain name and alias domain that is registered on your email filtering control panel. Please see our set up documentation here for SPF/TXT record syntax.


Hard or Soft Fail?


The SPF Record will distinguish between a hard- or a soft-fail, which explains how the system will handle an email where the SPF Record does not fit. The TXT record will need to add:

  • Hard-fail –all: Emails where the "MAIL FROM:" does not match the SPF Record will be rejected. Emails where the "FROM:" does not match the SPF Record for the "MAIL FROM:" will be moved to the spam quarantine 
  • Soft-fail ~all: Emails not matching the SPF Record will be moved into spam quarantine


Available SPF Filter Options


Type 1 / Internal SPF/TXT checking 

  • We will check the SPF record for for only the domain names listed on the customer account. This includes the primary domain name and any alias domain name(s)
  • Emails from other domain names will not be SPF checked
  • Checking of the "MAIL FROM:" address (envelope sender) against the SPF record of "MAIL FROM:" domain name
    • Emails that fail with an SPF Hard-fail will be rejected at the boundary of the filtering service
    • Emails that fail with an SPF Soft-fail will be quarantined with the reason code "asespf7-1"
  • Checking of the "FROM" address against the SPF record of "MAIL FROM:" domain name
    • Emails that fail (Hard & Soft-fail) will be quarantined with the reason code "asespf7-1"

 

Type 2 / Internal and External SPF checking

  • We will check the SPF record for ALL inbound email
  • Checking of the "MAIL FROM" address (envelope sender) against the SPF record of "MAIL FROM:" domain name
    • Emails that fail with an SPF Hard-fail will be rejected at the boundary of the filtering service
    • Emails that fail with an SPF Soft-fail will be quarantined with the reason code "asespf7-2"
  • Checking of the "FROM" address against the SPF record of "MAIL FROM:" domain name
    • Emails that fail (Hard & Soft-fail) will be quarantined with the reason code "asespf7-2"
  • Please note that normally SPF filtering only checks the "MAIL FROM:" address. However, on EveryCloud, our SPF filtering is more stringent and also checks the "FROM:" address against the published SPF record of the "MAIL FROM:" address. Therefore this filter is extremely good at stopping spoofed email. However, genuine email from a 3rd party senders may be stopped where they are spoofing the "FROM:" address. This can occur with marketing emails or emails generated via 3rd party hosted services, e.g. hosted CRM, backup alerts, etc.

 

Enabling SPF Checking


The next step is to contact the EveryCloud support team and to request SPF checking of inbound email to be enabled. In your support request you need to detail;

  • Primary domain to enable SPF checking
  • Any alias domains to enable SPF checking
  • What type of SPF checking is required