A domain, with SPF record containing include mechanism, when spoofed, triggers the action configured for Sender Policy Framework (SPF) Authentication incorrectly
|Article:TECH89639|||||Created: 2008-01-03|||||Updated: 2012-02-16|||||Article URL http://www.symantec.com/docs/TECH89639|
"Sender Policy Framework (SPF)" is enabled as a Sender Authentication policy, but some spoofed domains do not trigger the action configured for SPF Authentication. Domains that exhibit this issue are using the include mechanism in their SPF records.
This issue has been addressed in the 9.5.0 release of the Symantec Messaging Gateway (formerly Symantec Brightmail Gateway)
If the SPF record for a domain uses the include mechanism and the SPF record for the included domain has a last directive that is different from the last directive in the main SPF record, then the sender authentication module incorrectly treats the directive in the included domain as the overall directive. For example:
"v=spf1 ip4:22.214.171.124 include:otherdomain.net -all"
"v=spf1 ip4:126.96.36.199 a ~all"
In releases prior to SMG 9.5 the directive for domain.com would be treated as ~all rather than -all.
Article URL http://www.symantec.com/docs/TECH89639