A domain, with SPF record containing include mechanism, when spoofed, triggers the action configured for Sender Policy Framework (SPF) Authentication incorrectly

Article:TECH89639  |  Created: 2008-01-03  |  Updated: 2012-02-16  |  Article URL http://www.symantec.com/docs/TECH89639
Article Type
Technical Solution


"Sender Policy Framework (SPF)" is enabled as a Sender Authentication policy, but some spoofed domains do not trigger the action configured for SPF Authentication. Domains that exhibit this issue are using the include mechanism in their SPF records.


This issue has been addressed in the 9.5.0 release of the Symantec Messaging Gateway (formerly Symantec Brightmail Gateway)

Technical Information
If the SPF record for a domain uses the include mechanism and the SPF record for the included domain has a last directive that is different from the last directive in the main SPF record, then the sender authentication module incorrectly treats the directive in the included domain as the overall directive. For example:

"v=spf1 ip4: include:otherdomain.net -all"

"v=spf1 ip4: a ~all"

In releases prior to SMG 9.5 the directive for domain.com would be treated as ~all rather than -all.


Supplemental Materials

Value30727, 30772

Legacy ID


Article URL http://www.symantec.com/docs/TECH89639

Terms of use for this information are found in Legal Notices