GFI

Does GFI Mail Essentials 20.1 support full SPF specification

Sender Policy Framework (SPF) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain's administrators. Even thou SPF does have a lot of it's own issues most large companies use it and it allows to filter out a lot of spam.

Problem Description

GFI Mail Essentials 20 does support SPF and it does so on two levels.

SpamRazer which is GFI very own special filter

Dedicated Sender Policy Framework

Imagine my surprise when I started seeing properly configured SPF for e-mails yet GFI reporting them as spam.

Solution

After opening a case in GFI support system we were informed that:

GFI does support only basic SPF records

SpamRazer SPF filter does do some nested record lookups, but if it takes longer than a second to get a response, it will skip it

So if your customers use a bit more complicated SPF records you're gonna have lots of false positives. It includes even SPF for own gfi.com domain

“v=spf1 a:mailers.gfi.com a:oneconnectspf.gfi.com include:amazonses.com include:cleverbridge.com include:salesforce.com include:spf.protection.outlook.com”

“v=spf1 include:_spf-a.microsoft.com include:_spf-b.microsoft.com include:_spf-c.microsoft.com include:_spf-ssg-a.microsoft.com include:spf-a.hotmail.com ip4:147.243.128.24 ip4:147.243.128.26 ip4:147.243.1.153 ip4:147.243.1.47 ip4:147.243.1.48 -all”

“v=spf1 redirect=_spf.facebook.com”

“v=spf1 redirect=_spf.google.com”

“v=spf1 mx ptr:casses.aero ptr:s4a.aero include:_spf.google.com -all”

All those domains for gfi.com, microsoft.com, facebook.com or gmail.com most likely will fail GFI SPF testing… They even have have GFI voting system to support full RFC Specification for SPF. Don't hold your breath that it gets implemented anytime soon thou. So what to do until they add it properly?

The only way to go for now is either disable it totally or add those domains to SPF Exception list (either by IP or e-mails – with wildcards being supported).

You should be aware that adding a domain to whitelist (whitelist ip, whitelist email or personal whitelist) will not skip SPF checking (unless SPF checking is below whitelist).

Przemyslaw Klys

System Architect with over 14 years of experience in the IT field. Skilled, among others, in Active Directory, Microsoft Exchange and Office 365. Profoundly interested in PowerShell. Software geek.

Share
Published by
Przemyslaw Klys

Recent Posts

Upgrade Azure Active Directory Connect fails with unexpected error

Today, I made the decision to upgrade my test environment and update the version of…

5 days ago

Mastering Active Directory Hygiene: Automating Stale Computer Cleanup with CleanupMonster

Have you ever looked at your Active Directory and wondered, "Why do I still have…

4 months ago

Active Directory Replication Summary to your Email or Microsoft Teams

Active Directory replication is a critical process that ensures the consistent and up-to-date state of…

8 months ago

Syncing Global Address List (GAL) to personal contacts and between Office 365 tenants with PowerShell

Hey there! Today, I wanted to introduce you to one of the small but excellent…

1 year ago

Active Directory Health Check using Microsoft Entra Connect Health Service

Active Directory (AD) is crucial in managing identities and resources within an organization. Ensuring its…

1 year ago

Seamless HTML Report Creation: Harness the Power of Markdown with PSWriteHTML PowerShell Module

In today's digital age, the ability to create compelling and informative HTML reports and documents…

1 year ago