Jump to content


Photo

A Whitelist for Sender Spoofing (or respect SPF records)


This topic has been archived. This means that you cannot reply to this topic.
1 reply to this topic

#1 Karl Bystrak

Karl Bystrak
  • Members
  • 1 posts

Posted 29 August 2019 - 02:25 PM

Right now if you have sender spoofing turned on your only option to allow outside emails in that are spoofed (say from a third party vendor that sends bulk email on your behalf) is to whitelist the IPs of the third party.  Which means all emails that third party sends, including the ones that are not yours, are then allowed due to the whitelisted IP. 

 

There should be a whitelist just for the sender spoofing and not everything.

 

Either that, or check inbound emails to your domain name against the SPF records to see if they should be permitted.  Right now, the setting to "Reject messages from my domain:" under Domain Management > Advanced > Email protocol overrides the SPF record.    So even when the SPF record shows that the sender is authorized to send emails from the domain, the ESG blocks it.

 

 

 



#2 Daniel Petrak

Daniel Petrak
  • Members
  • 7 posts

Posted 21 November 2019 - 11:07 AM

Replying to bump this.

 

The SPF implementation by ESG hasn't been right (in my opinion) for a while.  Several of us have requested that SPF be treated (or at least have the option to be treated) as dominant over filter rules.  

 

For instance, the opposite of what you're doing - when we whitelist a domain (due to too many false positives blocking important emails) and then someone spoofs that domain, SPF doesn't enter the equation.  I want us to always obey SPF even if we've whitelisted the domain.

 

Whitelisting IP ranges won't make sense when so many companies use hosted mail solutions.  There is no way I could maintain every legitimate IP for every legitimate client - that's what SPF is for.