SPF or Sender Policy Framework is an email authentication method that identifies which mail servers are allowed to send emails on behalf of your domain. I can forge an email header to pretend it has been sent from an address on your domain which is called a spoofing attack. SPF record contains information of only mail servers that are allowed to send emails on behalf of your domain and prevents spammers like me from spoofing your domain. It can be done by comparing the SPF record with the mail server information of the sender. If they don’t match, the email will be identified as unauthorized and will send it to spam or reject completely.
How to Configure SPF to check Incoming Emails
By configuring SPF for checking incoming emails, you can reject incoming emails with no SPF record. In this section, we learn how to enable SPF to check incoming emails.
To set up SPF to check incoming emails we use CBPolicyd WebUI to create a new policy (to learn how to enable WebUI you can read Enabling CBPolicyD WebUI). To create a new policy follow these steps:
- Create Group
- Select Policies | Groups.
- From Action, select add a group with the name list_domain.
- Select the new group.
- From Action, select members and insert your domain.
- Create Policy
- Select Policies | Main.
- Add Policy with the Name check-spf and Priority 20 and Submit.
- Select the new policy.
- From Action, select members and insert our group name in the Source and Destination.
- Create SPF Check
- Select SPF Checks | Configure.
- From Action, select Add and set the Name and Link to policy to check-spf, and others to Yes and Submit.
- Enable CBPolicyd checkspf and restart CBPolicyd service
su - zimbra zmprov ms `zmhostname` zimbraCBPolicydCheckSPFEnabled TRUE zmcbpolicydctl restart