SPF (Sender Policy Framework) validation is one method to prevent unauthorized outbound email servers from sending messages on behalf of a domain. Domain administrators publish SPF information in TXT records in DNS. The SPF TXT record identifies authorized outbound email servers. Destination email systems, like Mailprotector, verify that messages originate from authorized outbound email servers.
SPF checks in CloudFilter
Mailprotector evaluates SPF against an email's Sender, From, and Reply-To addresses. But, by default, filtering decisions are only made on the Sender addresses' SPF check per the Sender Policy Framework RFC.
NOTE: Mailprotector's SPF checks against the From and Reply-To addresses can be scored by adjusting the Scoring Sensitivity. By default, the result is zero. Scoring on the From and Reply-To addresses may create an increase in false positives, but it can reduce the number of spoofed emails a high risk user receives to their inbox.
Reading log results for SPF validation
When viewing the log detail of an email in the Console, SPF validation results will be listed if sufficient SPF information is available. The image above shows an example email with SPF validation results.
The yellow highlighted result, SPF Pass, is the Sender address result stating the email has come from an authorized email server. If this result were SPF Soft Fail or SPF Hard Fail, that would indicate the Sender address did not match an authorized email server and could be quarantined based on the filtering configuration.
The green highlighted results, SPF Pass (From) and SPF Pass (Reply-To), indicate the From and Reply-To addresses also passed an SPF check. The message would still validate if these addresses were in the Sender field. If either of these were a failure, it would provide insight into the email's different addresses, but it would not be used for a filtering decision.