How To Enable SPF Checking for Incoming Connection


Usually, i am configure spf to my server for outgoing purpose. The spf records are defined in public dns use txt records. But, how to enable spf checking if there connection to my server?

The following is step by step how to enable spf checking for incoming connection.

You need to enable cbpolicyd as in the following guides : https://pratapsatve.wordpress.com/2016/03/17/how-to-install-policyd-on-zimbra/. After enable policyd, please open policyd webui (http://IPZIMBRA:7780/webui/index.php) and create some groups, policy and spf.

# Create Groups

Select Policies | Groups. Select action and add groups. given name list_domain. On comment, you can empty or filled with comment. Select a group that has been made. On action, select members and fill with your domain. See the following example. make sure disabled status is no at groups or members groups

policyd-groups

policyd-members-groups

Create Policy

Select Policies | Main. Add new policy and give name or information like the following picture. Then submit query

policy-spf

select new policy has been made and select members on action. Add member and fill on source/destination with group that has been made. See the following example

policy-spf-members

Above configuration only check spf if email connection come from external domain (Gmail, Yahoo and etc) to my internal domain. If email connection come from internal domain to internal domain, or internal domain to external domain, spf checking will be ignore/skip. make sure disabled status is no

# Create SPF Check

Select SPF Checks | Configure. Select Add on Action and configure like follow. Then Submit

spf-configure

Make sure disabled status is no. Enable policyd checkspf and restart policyd service

su - zimbra
zmprov ms `zmhostname` zimbraCBPolicydCheckSPFEnabled TRUE
zmcbpolicydctl restart

SPF checking for incoming connection has been enabled and configured. Please see zimbra.log if getting spf fail.

The following is example when getting spf fail

Mar 10 18:45:43 smtp postfix/smtpd[28068]: NOQUEUE: reject: RCPT 
from c117-167.nanaonet.jp[119.18.167.117]: 554 5.7.1 <shaftssg@onet.pl>: 
Sender address rejected: Failed SPF check; 
Please see http://www.openspf.org/Why?s=mfrom;id=shaftssg%40onet.pl;
ip=119.18.167.117;r=smtp.imanudin.net; onet.pl, 
Sender is not authorized by default to 
use 'shaftssg@onet.pl' in 'mfrom' identity (mechanism '-all' matched); 
from=<shaftssg@onet.pl> to=<xxxx@imanudin.net> proto=ESMTP helo=<[119.18.167.117]>

Good luck and hopefully useful