Enabling SPF and Sender ID authentication

Article:HOWTO53911  |  Created: 2011-06-06  |  Updated: 2012-08-20  |  Article URL http://www.symantec.com/docs/HOWTO53911
Article Type
How To



Enabling SPF and Sender ID authentication

Symantec Messaging Gateway can authenticate a sender's IP address by checking it against the published DNS record for the named mail server. If the DNS record includes a hard outbound email policy (one that requires content filtering), and it does not include the sending IP address, Symantec Messaging Gateway processes the inbound message according to the action that you specify on the Sender Authentication page. If the sender's IP address matches the IP address that is published in DNS record, or if the domain publishes only an informational policy or does not publish a policy at all, no action is taken.

Authenticating the IP addresses of senders can reduce spam because spammers often attempt to forge the mail server name to evade detection. Symantec Messaging Gateway uses the Sender Policy Framework (SPF) or the Sender ID standard to authenticate sender IP addresses. If you specify domains whose IP addresses you want Symantec Messaging Gateway to authenticate, the best practice is to specify the highest-level domain possible, such as example.com, because tests for compliance include all subdomains of the specified domain - for example, my.example.com and your.example.com.


Authenticating all domains can significantly increase processing load. Many domains do not publish an outbound email policy, or they publish only an informational policy. Attempting to authenticate the IP addresses belonging to such domains will not produce any action on mail sent from them and can unnecessarily expend processing resources, at times excessively. Authentication is most effective for domains that publish hard policies that are frequently spoofed in phishing attacks.

Optionally, you can use a content filtering policy to specify actions for an SPF or Sender ID softfail condition.

Default content filtering policies that you can use are as follows:

  • SPF Validation Softfail: Modify subject line with "[SPF Softfail]"

  • SenderID Validation Softfail: Modify subject line with "[SenderID Softfail]"

See Default content filtering policies.

See Editing content filtering policies.

To enable SPF and Sender ID authentication

  1. In the Control Center, click Spam > Settings > Sender Authentication.

  2. In the Authentication Service Identifier box, type your authentication service identifier.

    The authentication service identifier is a site-specific string that Symantec Messaging Gateway inserts into each message's authentication results header along with the SenderID and SPF. The authentication service identifier uses a syntax similar to the syntax of a domain name.

    The following are examples of valid authentication service identifiers:

    • example.com

    • mail.example.org

    • ms1.newyork.example.com

    • example-auth

  3. On the SenderID/SPF tab under Authentication Types, check Sender Policy Framework (SPF) or Sender ID.

    Choosing Sender ID also enables SPF because when you authenticate Sender ID with DNS, it also provides SPF authentication.

  4. Under Domain Authentication, choose a domain authentication method.

    To initiate sender authentication on incoming messages from all domains, click Authenticate all domains and click Save.

    To select specific domains to authenticate, click Authenticate only the following domains and check the domains to authenticate.

  5. Perform additional actions as needed.

    • To add a new domain to the list click Add. Type a domain name in the text field and click Save.

    • To edit the spelling of a domain click the domain name and click Edit. Make changes and click Save.

    • To delete a domain from the list, check the domain name and click Delete.

    • To change the default action or to add additional actions, under Actions, click Add. Choose from the drop-down menu, and then click Add Action.

      Some action choices display additional fields where you can provide specifics for the action. By default, each failed message has the phrase [sender auth failure] prepended to its subject line.

  6. Click Save to commit your changes.

Legacy ID


Article URL http://www.symantec.com/docs/HOWTO53911

Terms of use for this information are found in Legal Notices