Does GFI Mail Essentials 20.1 support full SPF specification

After opening a case in GFI support system we were informed that:

GFI does support only basic SPF records

SpamRazer SPF filter does do some nested record lookups, but if it takes longer than a second to get a response, it will skip it

So if your customers use a bit more complicated SPF records you're gonna have lots of false positives. It includes even SPF for own gfi.com domain

“v=spf1 a:mailers.gfi.com a:oneconnectspf.gfi.com include:amazonses.com include:cleverbridge.com include:salesforce.com include:spf.protection.outlook.com”

“v=spf1 include:_spf-a.microsoft.com include:_spf-b.microsoft.com include:_spf-c.microsoft.com include:_spf-ssg-a.microsoft.com include:spf-a.hotmail.com ip4:147.243.128.24 ip4:147.243.128.26 ip4:147.243.1.153 ip4:147.243.1.47 ip4:147.243.1.48 -all”

“v=spf1 redirect=_spf.facebook.com”

“v=spf1 redirect=_spf.google.com”

“v=spf1 mx ptr:casses.aero ptr:s4a.aero include:_spf.google.com -all”

All those domains for gfi.com, microsoft.com, facebook.com or gmail.com most likely will fail GFI SPF testing… They even have have GFI voting system to support full RFC Specification for SPF. Don't hold your breath that it gets implemented anytime soon thou. So what to do until they add it properly?

The only way to go for now is either disable it totally or add those domains to SPF Exception list (either by IP or e-mails – with wildcards being supported).

You should be aware that adding a domain to whitelist (whitelist ip, whitelist email or personal whitelist) will not skip SPF checking (unless SPF checking is below whitelist).