2012/03/23 by Jérôme Gays.
SFR incoming email authentication
With the growing strength of phishing campaigns, incoming message authentication has become an important issue for ISPs to protect their users.
Various standards exist to authentify outgoing email messages.
Since September 2011, SFR has decided to verify the authenticity of incoming emails according to SPF standard and might be thinking of an upcoming implementation of DKIM.
SPF standard allows domain owners to specify, with a DNS record, which are the authorized servers able to use their domain to send email messages.
Let see, with two practical examples, how SFR processes and filters incoming emails using SPF:
- For a start, lets try to send an email to SFR from the IP 18.104.22.168 with the domain dlnw01.com for which we set the following strict SPF record v=spf1 ip4:22.214.171.124 -allIt results in a delivery refusal because of the SPF hardfailed:
MAIL FROM:<firstname.lastname@example.org> 554 5.7.1 <email@example.com>: Sender address rejected: Please%see%http://spf.pobox.com/why.html?sender=dlnw%40dlnw01.com&ip=126.96.36.199&receiver=msfrf2207 : Reason: mechanism
- Now, lets try to send SFR an email from IP 188.8.131.52 and domain dlnw01.com with the following flexible SPF record setting v=spf1 ip4:184.108.40.206 ~allThe result is the delivery of the email in the spam box with the following header appearing in the header:
X-tag-spam: SPF SoftFail
To protect its identity, it is important for the advertiser to authentify its domains, but the example above shows that it is crucial to do it properly in order to avoid a connection rejection or a delivery in spam box.
In addition, even though authentication should ensure sender authenticity, emails are not guaranteed to get to the main reception box.