EveryCloud Technologies    


The Following article will provide a guideline on how to setup and use SPF records. Please read it carefully.


Setup


To setup Inbound SPF checking, please firstly ensure that you have published a TXT/SPF record. The TXT/SPF record will be required for each domain name and alias domain that is registered on your email filtering control panel. This SPF record must authorise our mail relays to send on behalf of your domain. In order to accomplish this you must have the following Include statement. - include:spf.everycloudtech.com



Available SPF Filter Options


Type 1 / Internal SPF checking

  • We will check the SPF record for only the domain names listed on the customer account. This includes the primary domain name and any alias domain name(s)
  • Emails from other domain names will not be SPF checked
  • Checking of the "MAIL FROM:" address (envelope sender) against the SPF record of "MAIL FROM:" domain name
    • Emails that fail with an SPF Hard-fail will be rejected at the boundary of the filtering service
    • Emails that fail with an SPF Soft-fail will be quarantined with the reason code "asespf7-1"
  • Checking of the "FROM" address against the SPF record of "MAIL FROM:" domain name
    • Emails that fail (Hard & Soft-fail) will be quarantined with the reason code "asespf7-1"

 

Type 2 / Internal and External SPF checking

  • We will check the SPF record for ALL inbound email
  • Checking of the "MAIL FROM" address (envelope sender) against the SPF record of "MAIL FROM:" domain name
    • Emails that fail with an SPF Hard-fail will be rejected at the boundary of the filtering service
    • Emails that fail with an SPF Soft-fail will be quarantined with the reason code "asespf7-2"
  • Checking of the "FROM" address against the SPF record of "MAIL FROM:" domain name
    • Emails that fail (Hard & Soft-fail) will be quarantined with the reason code "asespf7-2"

Please note that normally SPF filtering only checks the "MAIL FROM:" address. However, on EveryCloud, our SPF filtering is more stringent and also checks the "FROM:" address against the published SPF record of the "MAIL FROM:" address. Therefore this filter is extremely good at stopping spoofed email. However, genuine email from a 3rd party senders may be stopped where they are spoofing the "FROM:" address. This can occur with marketing emails or emails generated via 3rd party hosted services, e.g. hosted CRM, backup alerts, etc.

 

Hard or Soft Fail ?


The SPF Record will distinguish between a hard or a soft-fail, which explains how the system will handle an email where the SPF Record does not fit. The TXT record will need to add: 

  • Hard-fail    –all:     Emails where the "MAIL FROM:" does not match the SPF Record will be rejected. Emails where the "FROM:" does not match the SPF Record for the "MAIL FROM:" will be moved to the spam quarantine
  • Soft-fail     ~all:     Emails not matching the SPF Record will be moved into spam quarantine.


Notes:


It is worth noting the following regarding SPF records. 

  • SPF records should all now be DNS TXT (type 16) Resource Record (RR). More information can be found on this Here.
  • There are also DNS Lookup Limits on SPF records, more detailed information can be found Here.
  • kitterman.com is an excellent resource for SPF records, where they can be checked and validated easily.


Enabling SPF Checking


The next step is to contact the EveryCloud Support Team and to request SPF checking of inbound email to be enabled. In your support request you need to detail;

  • Primary domain on which to enable SPF checking
  • Any alias domains.
  • What type of SPF checking is required
  • Confirmation that a Valid SPF record is in place, for the domains requested.