Documentation

    {{docApp.userSession.userId}}
    {{docApp.userSession.userName}}
    {{docApp.userSession.email}}
    Issuer : {{docApp.userSession.issuerInstance}}
    Expires : {{new Date(docApp.userSession.validUntil).toLocaleDateString()}}

{{docApp.title}}

{{docApp.description}}

How can we help?

{{docApp.searchError}}
{{product.name}}

Searching in {{docApp.searchFilterBySpecificBookTitle}}

{{docApp.searchResultFilteredItems.length}} results for: {{docApp.currentResultsSearchText}} in {{docApp.searchFilterBySpecificBookTitle}}
Search results have been limited. There are a total of {{docApp.searchResponse.totalResultsAvailable}} matches.

You have an odd number of " characters in your search terms - each one needs closing with a matching " character!

{{docApp.libraryHomeViewProduct.title || docApp.libraryHomeViewProduct.id}}

{{docApp.libraryHomeViewProduct.description}}

  1. {{book.title}}

{{group.title || group.id}}

{{group.description}}

  1. {{book.title}}

{{group.title}}

{{book.title}}
More...

Quarantine emails that fail SPF checks and DKIM checks

This article explains how to use Sender Policy Framework checks (SPF checks), a type of email authentication, to quarantine emails that are likely to be spoofing attempts. Email spoofing is when a sender’s email address is forged to make a message appear as if it came from a trusted source, such as a colleague or a recognized company.

Introduction

Enabling SPF checks and quarantining emails that fail these checks is a powerful way to protect your organization from a variety of email-based threats — including phishing, spam, and spoofing.

An SPF record is a line of text in a domain’s DNS settings that lists all the servers authorized to send emails on behalf of the domain, for example:

example.org. IN TXT "v=spf1 mx include:spf.protection.outlook.com include:_spf.hornbill.com -all"

When an email server receives a message, it performs an SPF check by looking up the SPF record from the sender’s domain. It then compares the sending server’s IP address to the list of authorized IP addresses in that record. If the IP address isn’t on the list, the SPF check fails, indicating a potential spoofing attempt.

Quarantining emails that fail SPF checks provides a crucial layer of security. Instead of delivering these potentially malicious emails to a user’s inbox, they’re held in a separate, secure location. This action prevents a number of threats:

  • Phishing attacks. Phishing emails often use a spoofed sender address to trick recipients into revealing sensitive information. By quarantining emails that fail SPF checks, you can stop these fraudulent messages from ever reaching your users, drastically reducing the risk of a successful phishing attack.
  • Spam. Spammers frequently use spoofed sender addresses to bypass filters. Since a legitimate SPF record is difficult for a spammer to forge, failing an SPF check is a strong indicator of spam. Quarantining these emails helps keep junk mail out of inboxes.
  • Malware distribution. Many malware and ransomware attacks are initiated via email attachments. By blocking spoofed emails, you prevent users from accidentally opening a malicious attachment from what appears to be a trusted source.

Enabling Quarantine

To quarantine suspicious emails, you’ll first create a new folder in your mailbox. Then you’ll add an inbound routing rule.

To create a Quarantine folder:

  1. Navigate to Email > Inbox.
  2. Click the button that has a folder and a plus sign (to the right of Folders).
  3. In the Create Folder dialog, give the new folder a name (e.g. Quarantine).
  4. Click Create Folder.

To quarantine suspicious emails:

  1. Navigate to Configuration > Platform Configuration >Email > Inbound Routing Rules.

  2. Click + Add Rule and give the new rule a name, such as Quarantine.

  3. In the Rule Expression field, paste the following:

    (MESSAGE_HEADER('Authentication-results') LIKE '%spf=fail%') or
(MESSAGE_HEADER('Received-SPF') LIKE '%fail%')

  4. In the Rule/Action dropdown, select Forward to Mailbox/Folder.

  5. and choose (and if required create) an appropriate folder such as Quarantine.

  6. In the Action section, in the Mailbox dropdown, select the mailbox you are applying the new rule to.

  7. In the Folder dropdown, select the folder you created for quarantining emails.

  8. Click Create Rule. Quarantining emails

Important

Placing this rule at the top of the routing-rules list (Position 1) ensures all emails that fail the SPF check will go to the quarantine folder and not be used for any other email auto-responder actions. For more detail on the importance of positioning of rules, see the doc about ordering in the routing rule list.

Does SPF protect against all email threats?

No, SPF is an excellent first line of defense, but it’s not a complete solution. It’s most effective against sender address spoofing, but it doesn’t protect against all forms of email fraud. For comprehensive email security, SPF should be used in conjunction with other authentication protocols like DKIM (DomainKeys Identified Mail) .

What is DKIM and how does it work?

DKIM (DomainKeys Identified Mail) is a method of email authentication that uses digital signatures to verify the authenticity and integrity of a message. It helps to ensure that an email was not altered in transit and that it genuinely came from the domain it claims to be from.

DKIM uses a cryptographic key pair: a private key and a public key.

  • The private key. The sender’s email server uses a private key to generate a unique digital signature for each outgoing email. This signature is added to the email’s header. The private key is kept secret and is only accessible to the sending server.
  • The public key. The corresponding public key is published in the sending domain’s DNS as a TXT record.
  • Verification. When a recipient’s email server receives a message, it sees the DKIM signature in the header. It then looks up the public key in the sender’s DNS record and uses it to decrypt the signature. If the decrypted signature matches the one generated by the receiving server based on the email’s content, the DKIM check passes. This proves that the message has not been tampered with and was sent from a server authorized by the domain owner.

These protocols work together to provide a robust defense against email-based attacks and you can also add rules based on these headers, to quarantine emails that fail those checks using using the following:

(MESSAGE_HEADER('Authentication-results') LIKE '%dkim=fail%')

A combined check for SPF and DKIM would therefore be the following:

(MESSAGE_HEADER('Authentication-results') LIKE '%spf=fail%') or
(MESSAGE_HEADER('Received-SPF') LIKE '%fail%') or
(MESSAGE_HEADER('Authentication-results') LIKE '%dkim=fail%')

Why not just reject emails that fail SPF or DKIM, rather than quarantining them?

While outright rejecting emails that fail an SPF or DKIM check is an option, it’s generally not the recommended approach. A few scenarios can lead to a legitimate email failing an SPF or DKIM check, such as when it’s forwarded through an intermediate server that’s not listed in the original sender’s SPF record.

Each Hornbill instance may wish to use different levels of checks and even each mailbox on any given instance can have different requirements. Quarantining these emails via rules allows an administrator to review them and release the legitimate ones, preventing the loss of important communications. Rejecting them outright means the email is simply lost, and the sender may not be notified.

Further information

  • For information on creating a new email domain for outbound mail, enabling DKIM, choosing an outbound routing mode, and performing an SPF test, see Email domains.
  • For information on routing rules for inbound mail, see Inbound Routing Rules.
  • Version {{docApp.book.version}}
  • Node {{docApp.node}} / {{docApp.build}}
In This Document