2

I’m administering a mail server (cPanel/WHM) running Exim. It handles normally a few hundreds incoming emails per day for our customers.

I’m not sure if I should reject SPF and/or DKIM failures for incoming email. This obviously depends on the percentage of misconfigured mail servers out there.

What’s the recommended and best practice setup?

esc1729
  • 305
  • 2
  • 16

3 Answers3

2

I’m not sure if I should reject SPF and/or DKIM failures for incoming email

For SPF - depends on failure.

SOFT failure - no. That indicates that there is an error in the SPF or no SPF record.

HARD failure - yes. Because when the owner of the domain tells you that the sending server was not authorized, then yes, this is not authorized email and thus c nbe discarded.

TomTom
  • 50,857
  • 7
  • 52
  • 134
2

These are the rules I use:

  • Ignore any cases where SPF does not exist (SPF Unkown).
  • Reject on any SPF failures for HELO name. (The sending server must be able to send mail on its own behalf.
  • Reject on any SPF failures for the address in the PTR record if it is different from the HELO name. (This should always be the same as the HELO name, but some legitimate servers don't get it right.)
  • Reject on hard SPF failure for envelope sender.

DKIM is so frequently mis-configured that I don't reject on it. Many signers don't publish their public key.

Both SPF and DKIM data are used in generating spam scores for message that haven't been outright rejected.

BillThor
  • 27,354
  • 3
  • 35
  • 69
  • Thank you everybody for answering! I've decided to go this way and started to investigate the mail logs especially for the reasons of rejects to get a feeling for the frequencies in detail. I had some complaints by customers that some service requests to their service lines were rejected because of too strict settings. – esc1729 May 26 '13 at 06:44
0

Below are few must have parameters for mail servers

  Mail Server IP not on a blacklist
  Mail server has MX and reverse DNS records
  Must have SPF DNS records (many servers reject mail without a valid SPF, GMail)
  Mail mailserver's HELO response matches your hostname
  Mail mailserver is not an open relay
  DNS records' TTL is not too low - 86400 
  Mail Server should have Yahoo Domain Keys.
Abhishek Anand Amralkar
  • 1,949
  • 12
  • 16
  • 3
    Sorry, but that is crap. Most domains do NOT have SPF and thus gmail et al will not reject from sources without SPF. It will reject SPF hard faults, but a missing SPF entry means nothing, except that SPF was not configured. – TomTom May 25 '13 at 10:16
  • 2
    "TTL is not too low" I wouldn't recommend that. TTL values are legitimately lowered for preparation of a cutover for e.g.. I get the goal you have here but there's better ways to accomplish it like DNSBLs or e-mail "hurdles". – Belmin Fernandez May 28 '13 at 13:26