Solved: [NOT THE CORRECT ANSWER]

Per Tenggren · ‎10-27-2016

Hi all,

I've configured a content filter looking at the SPF and if the status equals fail the message will be dropped and according to the documentation only the PRA identity result is checked. My concern is that messages got dropped if the MAILFROM identity result is fail. Has anything changed recently in the ESA or is the documentation incorrect?

Content filter:

Output from message details:

27 Oct 2016 08:27:57 (GMT +02:00)	Message 50819 SPF: mailfrom identity prvs=10164049c=user@mydomain.com Fail
27 Oct 2016 08:27:57 (GMT +02:00)	Message 50819 SPF: pra identity user@mydomain.com None headers from

27 Oct 2016 08:27:57 (GMT +02:00)	Message 50819 dropped by content filter 'SPF-Fail' in the inbound table.

/Per

exMSW4319 · ‎10-27-2016

When testing any SPF rule don't take an irrevocable action like Drop; instead, put the items in a quarantine or even deliver if there are no other problems and take a copy yourself for analysis.

Remember that there are lots of organisations out there implementing Office 365 badly (they don't even read or understand Microsoft's own advisories on SPF). A number of your SPF HARDFAILs will be false positives, with the sending SPF record reading v=spf1 include:spf.protection.outlook.com -all when the mail is really from an overlooked back office system or third party that pre-dates the implementation.

Once you have an idea of how SPF can help you, you can set up a more automated system.

View solution in original post

dmccabej · ‎10-27-2016

Hello Per,

There is a defect where in older ASyncOS versions the Mail-From SPF validation is not checked via the Content Filter, and would have to be setup via a Message Filter.

Starting with ASyncOS 9.7.2-047 this has been fixed and the Content Filter should now properly trigger on the Mail-From verdict.

More info on the bug here : Content Filter will not trigger on SPF Verdict

Thanks!

-Dennis M.

View solution in original post

exMSW4319 · ‎10-27-2016

When testing any SPF rule don't take an irrevocable action like Drop; instead, put the items in a quarantine or even deliver if there are no other problems and take a copy yourself for analysis.

Remember that there are lots of organisations out there implementing Office 365 badly (they don't even read or understand Microsoft's own advisories on SPF). A number of your SPF HARDFAILs will be false positives, with the sending SPF record reading v=spf1 include:spf.protection.outlook.com -all when the mail is really from an overlooked back office system or third party that pre-dates the implementation.

Once you have an idea of how SPF can help you, you can set up a more automated system.

dmccabej · ‎10-27-2016

Hello Per,

There is a defect where in older ASyncOS versions the Mail-From SPF validation is not checked via the Content Filter, and would have to be setup via a Message Filter.

Starting with ASyncOS 9.7.2-047 this has been fixed and the Content Filter should now properly trigger on the Mail-From verdict.

More info on the bug here : Content Filter will not trigger on SPF Verdict

Thanks!

-Dennis M.

Per Tenggren · ‎10-28-2016

Thanks Dennis for the clarification, than it make sense why the messages got dropped.

dmccabej · ‎10-28-2016

You're very welcome! I'm glad I could help! :)

Thanks!

-Dennis M.

Per Tenggren · ‎10-28-2016

[NOT THE CORRECT ANSWER]

SPF validation & content filter