2

I’m administering a mail server (cPanel/WHM) running Exim. It handles normally a few hundreds incoming emails per day for our customers.

I’m not sure if I should reject SPF and/or DKIM failures for incoming email. This obviously depends on the percentage of misconfigured mail servers out there.

What’s the recommended and best practice setup?

esc1729
  • 305

3 Answers3

2

I’m not sure if I should reject SPF and/or DKIM failures for incoming email

For SPF - depends on failure.

SOFT failure - no. That indicates that there is an error in the SPF or no SPF record.

HARD failure - yes. Because when the owner of the domain tells you that the sending server was not authorized, then yes, this is not authorized email and thus c nbe discarded.

TomTom
  • 52,109
  • 7
  • 59
  • 142
2

These are the rules I use:

  • Ignore any cases where SPF does not exist (SPF Unkown).
  • Reject on any SPF failures for HELO name. (The sending server must be able to send mail on its own behalf.
  • Reject on any SPF failures for the address in the PTR record if it is different from the HELO name. (This should always be the same as the HELO name, but some legitimate servers don't get it right.)
  • Reject on hard SPF failure for envelope sender.

DKIM is so frequently mis-configured that I don't reject on it. Many signers don't publish their public key.

Both SPF and DKIM data are used in generating spam scores for message that haven't been outright rejected.

BillThor
  • 28,293
  • 3
  • 39
  • 70
0

Below are few must have parameters for mail servers

  Mail Server IP not on a blacklist
  Mail server has MX and reverse DNS records
  Must have SPF DNS records (many servers reject mail without a valid SPF, GMail)
  Mail mailserver's HELO response matches your hostname
  Mail mailserver is not an open relay
  DNS records' TTL is not too low - 86400 
  Mail Server should have Yahoo Domain Keys.
Abhishek Anand Amralkar
  • 1,997