Zimbra

Zimbra Tips : How To Enforce SPF Checking For Incoming Email

Before configure this guidance, please make sure you’ve configured SPF checking from this link : https://imanudin.net/2016/03/11/zimbra-tips-how-to-enable-spf-checking-for-incoming-connection/. When you’ve done, by default will reject SPF only if configured fail (-). If SPF none or SPF soft fail, email will pass and given some score.

If you want to block sender did not have SPF or soft fail, you can change CheckSPF module on PolicyD with this one.

# On Zimbra 8.5/8.6

cd /opt/zimbra/cbpolicyd/lib/policyd-2.1/cbp/modules
mv CheckSPF.pm CheckSPF.pm-backup
wget -c --no-check-certificate https://raw.githubusercontent.com/imanudin11/script/master/CheckSPF.pm

# On Zimbra 8.7.x

cd /opt/zimbra/common/lib/policyd-2.1/cbp/modules
mv CheckSPF.pm CheckSPF.pm-backup
wget -c --no-check-certificate https://raw.githubusercontent.com/imanudin11/script/master/CheckSPF.pm

The following are example when receiving email from domain who did not have SPF or SPF soft fail

Mar 23 16:15:22 mail postfix/smtpd[7006]: NOQUEUE: reject: RCPT from unknown[36.xx.xxx.xxx]: 554 5.7.1 <admin@example.com>: Recipient address rejected: Failed SPF check; example.com, No applicable sender policy available; from=<admin@example.com> to=<admin@example.net> proto=ESMTP helo=

Mar 23 16:16:39 mail postfix/smtpd[7006]: NOQUEUE: reject: RCPT from unknown[36.70.176.194]: 554 5.7.1 <admin@example.com>: Recipient address rejected: Failed SPF check; example.com ... example.com, Sender is not authorized by default to use 'admin@example.com' in 'mfrom' identity, however domain is not currently prepared for false failures (mechanism '~all' matched); from=<admin@example.com> to=<admin@example.net> proto=ESMTP helo=

Good luck and hopefully useful 😉

12 comments

  1. Great post. How could I amend the script to only reject domains that do not have an SPF but still accept soft fails?
    I see that 80% of my spam comes from non existing domains but there are quite a few poorly configured (government) sites that are now also rejected.

  2. Dear iman,
    need your help to resolve this issue yesterday i restart my firewall cause of some issue after that all my email to other domain directly going to spam folder and i notes all my previous mails delivered with (mailed by : my doamin name ) but to day its not showing can you please help me on this

    1. Hi Amithrajc,

      Please try to send email into Gmail (for example) and let see the original IP public from your server. If public IP is not from your SPF records, i think it’s normal if another domain move your email into spam/junk folder

    1. Hi mas Totok,
      Email yang direject tidak bisa direstore mas. Seharusnya email tersebut bouncing dan dikirim kembali kepada sender dengan pesan direject oleh SPF

  3. Hai Mas Iman, sya mengalami eror sebegai berikut bagaimana solusinya mas sebelumnya kirim email dri gmail tdk pernah di tolak :

    [2018/06/23-12:17:12 – 23295] [CORE] INFO: module=CheckSPF, action=reject, host=192.168.0.203, helo=mail-pg0-f44.google.com, from=hafidzcyber@gmail.com, to=hafidz@sakatehnik.co.id, reason=spf_softfail

    1. Hi mas,

      Sepertinya salah konfigurasi disisi router. Biasanya pengguna Mikrotik selalu menggunakan masquerade dan tidak mendefinisikan source IP nya. Alhasil semua akses akan dikenali dari ip router. AFAIK, IP public Gmail bukan 192.168.0.203

  4. Mas, ini ada beberapa domain dari pemerintah yang belum ada SPFnya sehingga langsung terblokir (bouncing).
    Apakah ada solusi untuk supaya email2 dari luar yg tidak punya SPF tidak perlu langsung di blokir dan cukup masuk ke Spam/Junk saja mas?

    Terima kasih sebelumnya.

  5. how can I allow this softfail to pass globally so I do not have to whitelist very many senders?

    Failed SPF check; Redundant applicable ‘v=spf1’ sender policies found

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.