How to add SPF support to your Exchange Server

Sender Policy Framework (SPF), formerly Sender Permitted From, is an extension to the  SMTP standard. SPF makes it easy to counter most forged “From” addresses in email, and thus helps to counter e-mail spam. The combination is also called SMTP+SPF. SPF was originally designed by Meng Weng of POBOX. You can read more about POBOX here.

For more information about SPF, click here to read my article; for general information about GFI MailEssentials 10.1 and it’s SPF integration click here.

GFI MailEssentials Product Page: Click here

GFI MailEssentials Download Page: Click here

Note:
Before we start to install GFI MailEssentials and to configure the SPF option, I will give you some information about how SPF works.

How does SPF work?

SPF is easy to understand. The “Internet” uses DNS (Domain Name System) to resolve Domain Names (as an example www.msexchange.org) into IP addresses. DNS is also used to direct requests for different services like e-mail and Web Servers. For every Domain around the world an MX (Mail Exchanger) record must exist. An MX record tells the e-mail sender where the target server for receiving mail is located.

SPF is publishing “reverse MX” records in DNS which tells the mail sender which machines send mail from the domain.

The recipient of the e-mail can now check these records to ensure that e-mail is coming from a “trusted” sender from this domain.

These “reverse MX” records can be easily published in DNS. It takes only one line in DNS to fullfil all requirements.

System requirements

GFI recommends the following when you install GFI MailEssentials on the Exchange 2000/2003 machine:

  • Windows 2000/2003 Server or Advanced/Enterprise Server
  • Microsoft Exchange 2000/2003
  • Microsoft XML core service (when you want to use the GFI MailEssentials reporter)

GFI recommends the following when you install GFI MailEssentials on a separate machine:

  • Windows 2000/XP Professional (only up to 10 inbound SMTP connections simultaneously), Windows 2000/2003 Server or Advanced/Enterprise Server
  • IIS5 SMTP service installed and running as an SMTP relay to your mail server.
  • Microsoft Exchange 4, 5, 5.5, 2000 oder 2003, Lotus Notes 4.5 and higher, or an SMTP/POP3 mail server.
  • GFI MailEssentials must be the first server to receive e-mails. I will tell you why later in this article.

Note:
For both deployment methods you MUST disable Anti Virus software from scanning the GFI MailEssentials & IIS directories.

Installation

First, we need to download a trial version of GFI MailEssentials from the GFI website. The download size is about 17.5 MB. You can use the trial version for 30 days. After that time, the software becomes a limited freeware version, unless you enter a 60-day eval key or the purchased license key.

After downloading, start the setup by doubleclicking mailesentials101.exe and follow the setup instructions. The configuration of GFI MailEssentials 10.1 is not included in this article.

Note:
GFI MailEssentials will need to start & stop the Exchange services during installation.


Figure 1: Start the installation of GFI MailEssentials

You have two options for installing GFI MailEssentials:

  • Installing GFI MailEssentials on the Exchange server 2000/2003 machine
  • Installing GFI MailEssentials on a seperate machine

Installing GFI MailEssentials on the Exchange server 2000/2003 machine

This is the easiest deployment method. Simply start the setup process and follow the setup instructions. This method is good  for small and medium sized organizations which don’t have a large server infrastructure with Front-end and Back-end servers and a complex firewall/DMZ infrastructure. GFI recommends this installation method when you use Exchange 2000/2003.

Installing GFI MailEssentials on a separate machine

If you wish to separate the MailEssentials installation from the Exchange machine, you can install the software on a separate machine. You should prefer this installation method when you want to place the MailEssentials software on a server in your DMZ and to setup the MailEssential Server as a smart host / Mail relay server.

SPF configuration

My focus in this article is the configuration of the Sender Policy Framework settings on the GFI MailEssentials machine.

Note:
SPF will only function correctly when the machine is configured to receive e-mails directly from the Internet. If you have a configuration where e-mails arriving are beeing relayed through another smart host then the SPF checks will fail.

For more information read the following GFI knowledge base article.

Start the GFI MailEssentials SPF configuration by right clicking the “Sender Policy Framework” container – and click “Properties”.


Figure 2: Start configuring the Sender Policy Framework settings

First, we have to setup the SPF Block level which defines how SPF should detect e-mails with forged senders. GFI recommends to set the level to “medium”.

Explanation of the four levels:

Never
This setting doesn’t block any messages. When you select this option SPF tests are not done for incoming e-mails.

Low
This setting blocks e-mails which are determined to have a forged sender.

Medium
The “medium” setting blocks e-mails which appear to have a forged sender. Choose this option when you want SPF to treat any messages that appear to have a forged sender as spam.

High
Blocks any message which is not proven to be from the sender. The “High” setting will treat all e-mails as spam with one execption: If it can be proven that the sender is not forged. GFI doesn’t recommend enabling this setting because the majority of mail servers today don’t have an SPF record.


Figure 3: SPF Block level settings

The “Exceptions” field allows you to configure any IP addresses and recipients that should be excluded from SPF checks. This setting is useful when you want to allow special IP addresses and recipients which shouldn’t be blocked.


Figure 4: SPF exceptions settings

The Trusted Forwarder Global Whitelist (www.trusted-forwarder.org) provides a global whitelist for SPF users. This setting is useful because it provides a solution to allow legitimate email that is sent through well known and trusted e-mail forwarders from being blocked by SPF. This setting is enabled by default. GFI recommends always leaving this option enabled.

The “Actions” container allows you to configure the action to perform when a spam e-mail is detected. If you are using Exchange 2003, I recommend selecting “Move to user’s junk mail folder (Exchange 2003 only)”. With this setting enabled, GFI MailEssentials forwards the spam mails to the user’s junk mail folder. You have to activate this feature manually on the Exchange server. For more information about Exchange servers IMF options, read the following article written by Henrik Walther.


Figure 5: SPF Action settings

The last option is configuring the logging of SPF settings.


Figure 6: SPF Log settings

Conclusion

GFI MailEssentials 10.1 is a great solution to fight against spam and one of the first vendors with SPF support. I love the product because GFI offers the SPF addon as freeware.

Related Links

General information about GFI
http://www.gfi.com/mes

GFI MailEssentials Download Link
http://www.gfi.com/downloads/downloads.asp?pid=11&lid=1

News about GFI MailEssentials 10.1
http://www.gfi.com/news/en/mes101launch.htm

SPF in general
http://spf.pobox.com

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top