You are seeing messages from a "trusted" source failing the SPF check.
Messages are failing the SPF check.
Symantec Messaging Gateway is working as designed; however if you want to configure exceptions for the SPF modules you might have to build some content filtering policies.
By using nslookup or dig, you can get the TXT records for the problematic domain and you will notice that its IP address is not in the SPF record: yourdomain.com 3600 IN TXT "v=spf1 ip4:192.168.1.1 ~all" example.com. 7200 IN TXT "v=spf1 ip4:192.168.1.2 -all"
In this example, you are receiving messages from the domain example.com, destined to yourdomain.com, SMG will verify the connecting IP against the example.com domain and not yourdomain.com thus rendering the SPF fail verdict. You need to "authorize" the messages based on the "sender domain".
When enabling SPF on Symantec Messaging Gateway (SMG) 9.5.x, all inbound messages coming to SMG will get a header that has the following format: Authentication-Results: spf=RESULT
The RESULT field usually has the value fail or softfailStarting with version 9.5, we now provide a sample content filtering policy to treat the softfail result, fail will be using the policy configured under Spam -> Sender Authentication; however you can configure that policy to "Deliver message normally" and then use a content filtering policy to deal with that result separately.
Here is an example of a policy that would detect the fail result and it will authorize delivery if the sender domain matches the policy:
1) Change the default SPF policy to deliver messages normally under Spam -> Sender Authentication 2) Create an "Inbound" content filtering policy to look for the header: If text in Message header "Authentication-Results" contains 1 or more occurrences of "spf=fail" 3) Add another condition to look for the "authorized" domains: If text in From/To/Cc/Bcc Address part of the message does not match regular expression ".*\@example\.com$" 4) Set the action you want to take on the messages that do not match the criteria above. 5) Select the group(s) that you want to apply that policy 6) Click SAVE
NOTE: You might need to add extra conditions if you have to authorize other domains. Make sure this policy is at the very top of the content filtering policies page.
- Symantec Messaging Gateway 9.5.x - The sender domain is not listed as an authorized source for your domain.
Imported Document ID: TECH163334
Subscribing will provide email updates when this Article is updated. Login is required.