Quarantine emails that fail SPF and DKIM checks
This guide describes how to configure inbound routing rules to move failed messages to a dedicated quarantine folder.
To identify and isolate potentially spoofed emails, Hornbill recommends you use Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) authentication. You can configure Hornbill to quarantine messages that fail authentication. This is useful for reducing the risk of a user accidentally clicking a malicious link or responding to a fraudulent request.
Email authentication overview
SPF and DKIM are protocols used to verify the sender’s identity and the integrity of the email.
- SPF: A DNS record that lists authorized sending IP addresses for a domain. Receiving servers compare the sender IP against this list.
- DKIM: A cryptographic signature in the email header. Receiving servers use a public key in the sender’s DNS to verify that the message was not altered during transit.
Quarantining messages that fail these checks protects against phishing, spam, and malware distribution while allowing administrators to recover legitimate emails that fail due to configuration issues, such as improper forwarding.
Before you begin
- Ensure you have administrative access to Platform Configuration.
- Verify that your domain has existing SPF and DKIM records.
- Identify the specific mailbox where you want to apply these rules.
Create a quarantine folder
Create a destination folder to house filtered emails.
- Navigate to Email > Inbox.
- Select the Add Folder icon (folder with a plus sign) next to the Folders label.
- In the Create Folder dialog, enter a name such as
Quarantine. - Select Create Folder.
Configure inbound routing rules
Set up the logic to detect authentication failures and route them to the new folder.
- Navigate to Configuration > Platform Configuration > Email > Inbound Routing Rules.
- Select + Add Rule.
- In the Rule Name field, enter
Quarantine. - In the Rule Expression field, enter the following logic to check for both SPF and DKIM failures:
(MESSAGE_HEADER('Authentication-results') LIKE '%spf=fail%') OR (MESSAGE_HEADER('Received-SPF') LIKE '%fail%') OR (MESSAGE_HEADER('Authentication-results') LIKE '%dkim=fail%') - In the Rule/Action dropdown, select Forward to Mailbox/Folder.
- In the Action section, select the target mailbox.
- In the Folder dropdown, select the
Quarantinefolder created previously. - Select Create Rule.
- Go back to the Inbound Routing Rules list to find the new rule.
- Move the new rule to Position 1 to ensure authentication checks occur before any other auto-responder or routing actions.
Expected result
Emails failing SPF or DKIM checks will now bypass the inbox and arrive in the Quarantine folder.
Technical considerations
Why quarantine instead of reject?
Strict rejection can lead to false positives. Legitimate emails may fail SPF if they are routed through intermediate servers or forwarders not listed in the sender’s SPF record. Quarantining allows admins to review and release these messages.
Combined authentication logic
The provided rule expression targets specific failure strings within the Authentication-results and Received-SPF headers.
- To check only SPF:
(MESSAGE_HEADER('Authentication-results') LIKE '%spf=fail%') OR (MESSAGE_HEADER('Received-SPF') LIKE '%fail%') - To check only DKIM:
(MESSAGE_HEADER('Authentication-results') LIKE '%dkim=fail%')
Too many quarantined emails?
If you find that your Quarantine routing rule results in a higher number of quarantined emails than expected, you may want to tailor the rule expression (e.g. use AND rather than OR). The appropriate configuration will depend on your internal risk tolerance, mail-flow design, and cybersecurity policies.
Further information
- For information on creating a new email domain for outbound mail, enabling DKIM, choosing an outbound routing mode, and performing an SPF test, see Email domains.
- For information on routing rules for inbound mail, see Inbound Routing Rules.