Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

DKIM/SPF inbound filtering examples

Hi All,

I was wondering if anyone can post examples of their DKIM and SPF filtering on their inbound mail flows that I might be able to look at. It would seem that all the filters I have attempted puts a lot of legitimate mail into the quarantine and has little to no effect on the spam side.


Help???

4 REPLIES
New Member

Re: DKIM/SPF inbound filtering examples

what we need from you:

- sample message (attached as rfc822 copy)
- your filter syntax (click rules view for a paste-able text-friendly output)
- config.xml file (attached if possible)
- an overview of what you're trying to accomplish

andrew

New Member

Re: DKIM/SPF inbound filtering examples

Hi Andrew,

I'm just looking for generalized filtering people are doing for SPF and DKIM. Right now we have not implemented any filtering at this time, because mailing lists breaks DKIM and some network administrators haven't paid attention to their SPF policies.

While we have set everything we need on the outbound traffic, I was just wondering how people are dealing with these items on the inbound... or if anyone is actually monitoring DKIM and SPF on the inbound at all.

So, I guess I'm looking for best practices or examples on how people are implementing these items on their Ironports.

Re: DKIM/SPF inbound filtering examples

We have a simple 'logging only' rule:

SPF_Fail: if (spf-status == "fail") { deliver(); } 


This doesn't affect deliverability of messages, but gives us an idea of how many SPF failures we are getting on inbound mail. We have a similar filter for DKIM failures.

Currently we don't have enough faith in these systems to employ them as an anti-spam measure (but at least we know what the impact would be if we started blocking based on failures). Besides, using Senderbase scoring and CASE is working just fine at the moment.

New Member

Re: DKIM/SPF inbound filtering examples

Hi all,
On our side, we Quarantine mails which fail SPF or DKIM validation.
Don't know about the code, but in the GUI it looks like this :

Conditions
Apply rule:
Order Condition Rule Delete
1 DKIM Authentication dkim-authentication == "hardfail"
2 SPF Verification spf-status == "fail"

Actions
Order Action Rule Delete
1 Add Header insert-header("X-Ironport-Quarantine", "Quarantine")

Statistically, we have quarantined 1438 mails using this content filter over the last month (total mail traffic was over 4.4M mails, with 84% blocked at SMTP level by the reputation filter)

Hope it helps !
Fred

453
Views
0
Helpful
4
Replies
CreatePlease to create content