Posted by Before configure this guidance, please make sure you’ve configured SPF checking from this link : https://imanudin.net/2016/03/11/zimbra-tips-how-to-enable-spf-checking-for-incoming-connection/. When you’ve done, by default will reject SPF only if configured fail (-). If SPF none or SPF soft fail, email will pass and given some score.
If you want to block sender did not have SPF or soft fail, you can change CheckSPF module on PolicyD with this one.
# On Zimbra 8.5/8.6
cd /opt/zimbra/cbpolicyd/lib/policyd-2.1/cbp/modules mv CheckSPF.pm CheckSPF.pm-backup wget -c --no-check-certificate https://raw.githubusercontent.com/imanudin11/script/master/CheckSPF.pm
# On Zimbra 8.7.x
cd /opt/zimbra/common/lib/policyd-2.1/cbp/modules mv CheckSPF.pm CheckSPF.pm-backup wget -c --no-check-certificate https://raw.githubusercontent.com/imanudin11/script/master/CheckSPF.pm
The following are example when receiving email from domain who did not have SPF or SPF soft fail
Mar 23 16:15:22 mail postfix/smtpd[7006]: NOQUEUE: reject: RCPT from unknown[36.xx.xxx.xxx]: 554 5.7.1 <admin@example.com>: Recipient address rejected: Failed SPF check; example.com, No applicable sender policy available; from=<admin@example.com> to=<admin@example.net> proto=ESMTP helo= Mar 23 16:16:39 mail postfix/smtpd[7006]: NOQUEUE: reject: RCPT from unknown[36.70.176.194]: 554 5.7.1 <admin@example.com>: Recipient address rejected: Failed SPF check; example.com ... example.com, Sender is not authorized by default to use 'admin@example.com' in 'mfrom' identity, however domain is not currently prepared for false failures (mechanism '~all' matched); from=<admin@example.com> to=<admin@example.net> proto=ESMTP helo=
Good luck and hopefully useful 😉
Great post. How could I amend the script to only reject domains that do not have an SPF but still accept soft fails?
I see that 80% of my spam comes from non existing domains but there are quite a few poorly configured (government) sites that are now also rejected.
Hi Peter,
You can use this module : https://raw.githubusercontent.com/imanudin11/script/master/CheckSPF-softfail.pm and rename into CheckSPF.pm
Dear iman,
need your help to resolve this issue yesterday i restart my firewall cause of some issue after that all my email to other domain directly going to spam folder and i notes all my previous mails delivered with (mailed by : my doamin name ) but to day its not showing can you please help me on this
Hi Amithrajc,
Please try to send email into Gmail (for example) and let see the original IP public from your server. If public IP is not from your SPF records, i think it’s normal if another domain move your email into spam/junk folder
Hallo mas Iman
Email yang terreject oleh SPF apakah bisa direstore ? terima kasih sebelumnya.
Hi mas Totok,
Email yang direject tidak bisa direstore mas. Seharusnya email tersebut bouncing dan dikirim kembali kepada sender dengan pesan direject oleh SPF
Hai Mas Iman, sya mengalami eror sebegai berikut bagaimana solusinya mas sebelumnya kirim email dri gmail tdk pernah di tolak :
[2018/06/23-12:17:12 – 23295] [CORE] INFO: module=CheckSPF, action=reject, host=192.168.0.203, helo=mail-pg0-f44.google.com, from=hafidzcyber@gmail.com, to=hafidz@sakatehnik.co.id, reason=spf_softfail
Hi mas,
Sepertinya salah konfigurasi disisi router. Biasanya pengguna Mikrotik selalu menggunakan masquerade dan tidak mendefinisikan source IP nya. Alhasil semua akses akan dikenali dari ip router. AFAIK, IP public Gmail bukan 192.168.0.203
Mas, ini ada beberapa domain dari pemerintah yang belum ada SPFnya sehingga langsung terblokir (bouncing).
Apakah ada solusi untuk supaya email2 dari luar yg tidak punya SPF tidak perlu langsung di blokir dan cukup masuk ke Spam/Junk saja mas?
Terima kasih sebelumnya.
Hi mas Addo,
Bisa menggunakan tips yang ini mas : https://imanudin.net/2016/03/11/zimbra-tips-how-to-enable-spf-checking-for-incoming-connection/
how can I allow this softfail to pass globally so I do not have to whitelist very many senders?
Failed SPF check; Redundant applicable ‘v=spf1’ sender policies found
Hello,
Replace again module SPF with the original module before your perform this guidance
Malam.mas
Salam kenal salam sejahtera
Untuk zimbra 8.8.10 gmn ya mas
Spf cek nya
Hi mas Topan,
Prosesnya sama saja mas. Berlaku untuk semua versi Zimbra
terima kasih mas
jadi harus aktifkan cbpolicyD dulu ya mas iman
kalau tidak aktifkan cbpolicyD tidak bisa ya
mohon infonya