Zimbra Tips : How To Enforce SPF Checking For Incoming Email

Home » Zimbra » Zimbra Tips : How To Enforce SPF Checking For Incoming Email
Zimbra 4 Comments

Before configure this guidance, please make sure you’ve configured SPF checking from this link : https://imanudin.net/2016/03/11/zimbra-tips-how-to-enable-spf-checking-for-incoming-connection/. When you’ve done, by default will reject SPF only if configured fail (-). If SPF none or SPF soft fail, email will pass and given some score.

If you want to block sender did not have SPF or soft fail, you can change CheckSPF module on PolicyD with this one.

# On Zimbra 8.5/8.6

cd /opt/zimbra/cbpolicyd/lib/policyd-2.1/cbp/modules
mv CheckSPF.pm CheckSPF.pm-backup
wget -c --no-check-certificate https://raw.githubusercontent.com/imanudin11/script/master/CheckSPF.pm

# On Zimbra 8.7.x

cd /opt/zimbra/common/lib/policyd-2.1/cbp/modules
mv CheckSPF.pm CheckSPF.pm-backup
wget -c --no-check-certificate https://raw.githubusercontent.com/imanudin11/script/master/CheckSPF.pm

The following are example when receiving email from domain who did not have SPF or SPF soft fail

Mar 23 16:15:22 mail postfix/smtpd[7006]: NOQUEUE: reject: RCPT from unknown[36.xx.xxx.xxx]: 554 5.7.1 <admin@example.com>: Recipient address rejected: Failed SPF check; example.com, No applicable sender policy available; from=<admin@example.com> to=<admin@example.net> proto=ESMTP helo=

Mar 23 16:16:39 mail postfix/smtpd[7006]: NOQUEUE: reject: RCPT from unknown[36.70.176.194]: 554 5.7.1 <admin@example.com>: Recipient address rejected: Failed SPF check; example.com ... example.com, Sender is not authorized by default to use 'admin@example.com' in 'mfrom' identity, however domain is not currently prepared for false failures (mechanism '~all' matched); from=<admin@example.com> to=<admin@example.net> proto=ESMTP helo=

Good luck and hopefully useful 😉

4 thoughts on - Zimbra Tips : How To Enforce SPF Checking For Incoming Email

  • Great post. How could I amend the script to only reject domains that do not have an SPF but still accept soft fails?
    I see that 80% of my spam comes from non existing domains but there are quite a few poorly configured (government) sites that are now also rejected.

  • Dear iman,
    need your help to resolve this issue yesterday i restart my firewall cause of some issue after that all my email to other domain directly going to spam folder and i notes all my previous mails delivered with (mailed by : my doamin name ) but to day its not showing can you please help me on this

    • Hi Amithrajc,

      Please try to send email into Gmail (for example) and let see the original IP public from your server. If public IP is not from your SPF records, i think it’s normal if another domain move your email into spam/junk folder

LEAVE A COMMENT