SPF

You can configure Clearswift Gateway to perform Sender Policy Framework (SPF Sender Policy Framework) validation checks on received mail.

With SPF checking enabled, if there are SPF records for the domain from which the message was received, Clearswift Gateway uses those records to check that email is coming from the stated sender. If there are no SPF records for that domain, the Gateway cannot perform this check.

Messages can fail SPF checks in two ways:

• Hard Failure. SPF DNS records state with certainty that the message is not coming from the stated sender
• Soft Failure. There are problems with SPF DNS records that make it impossible for the Clearswift Gateway to carry out SPF validation. An SPF Soft Failure can also occur if the domain owner has configured the SPF DNS record to recommend that messages should not be rejected, even if SPF validation fails. This is typically used while domain owners are testing SPF and they are not confident that SPF DNS records include all sources of legitimate messages for the domain.

The Clearswift Gateway enables you to specify different actions to take on messages, depending on the type of SPF failure.

For more information, see Configuring SPF Settings.

SPF checks can only be used if the Gateway is connected directly to the Internet enabling it to determine whether SPF records exist for the domain from which the message was received.

If you have enabled SPF checking, you might want to add servers to the allow list of known machines from which you will always allow email. Using the allow list also prevents the overhead of performing SPF validation on trusted servers. The allow list can also provide an alternative solution if SPF mistakenly fails a trusted server. For more information, see Allow List.