Enable SPF

[KristianT]

Hello,

We have added the SPF check to our servers. However we have some issues in regards to spamfilters and forwarded emails.
Whenever a domain is using a spamfilter like spamtitan.com or spamfilter.cc the emails are stopped, even tho they are legitimate emails. This is logical and SPF is working fine in theese instances. The spamfilters are not listed in the sending domains SPF record, and when the spamfilter is sending this email to our server, it gets rejected. We have the same issue when email is forwarded from one address to another. It's the same issue here really.

To combat this, we have whitelisted some spamfilters and other mailservers. Is this the only way of dealing with this issue? How are you guys doing this? It's a hassle to try and keep up and whitelist every spamfilter or mailserver of any forwarded address our customers are using. We would like to utilize the benefits of using the SPF checks. But would like our customers to be free to use external spamfilters and forwarding of emails.

Any suggestions?

 

[cPanelMichael]

To combat this, we have whitelisted some spamfilters and other mailservers. Is this the only way of dealing with this issue? How are you guys doing this? It's a hassle to try and keep up and whitelist every spamfilter or mailserver of any forwarded address our customers are using. We would like to utilize the benefits of using the SPF checks. But would like our customers to be free to use external spamfilters and forwarding of emails.

Hello,

Per the cPanel 58 Release Notes, the "Reject SPF failures" option is now always enabled through SpamAssassin, and the option is removed from WHM's Exim Configuration Manager - Basic Editor interface (WHM Home >> Service Configuration >> Exim Configuration Manager).

You can use the following command to verify if you have manually enabled the SPF check in Exim:

grep spf /etc/exim.conf.localopts /etc/exim.conf

You will see the following output if it's manually enabled:

/etc/exim.conf.localopts:acl_spf_bl=1

If it is, you can browse to "WHM >> Exim Configuration Manager >> Advanced Editor" and then search/uncheck this entry:

spf_bl

This will allow SpamAssassin to handle the SPF verification process.

Thank you.

 

[KristianT]

Thank you for replying cPanelMichael!

However, after reading your reply, i am not sure that we understand each other. The problem is not with our spamfilter. The problem is when an email is forwarded through any other random spamfilter out of our control. Or when an email is simply forwarded from one address to another.

I'll try to paint a scenario for you:
exampledomain.com is hosted on our cpanel server, and are using a MX record to some spamfilter out of our control. When [email protected] (not our customer) sends email to [email protected], this email is delivered to the external spamfilter. This spamfilter then does its thing, and if everything is fine, it relays the email to our cPanel server where exampledomain.com is hosted. Our cPanel server is set up to check SPF records, and finds that anotherdomain.com has an SPF record and that the external spamfilter is is not listed in this SPF record. Our server then naturally rejects the mail. Since we cannot change the SPF record of anotherdomain.com, nor have any access to the external spamfilter, we usually add the external spamfilters to the /etc/trustedmailhosts file, so that the spf check is ignored.

This is ofcourse a hassle to track and keep updated, and not the preferred method to handle this issue. Have you any other suggestions of how to deal with this? We would like to utilize the advantages of the SPF check, but would also like our customers to be able to use any external spamfilters that they choose.

 

[cPanelMichael]

Our cPanel server is set up to check SPF records, and finds that anotherdomain.com has an SPF record and that the external spamfilter is is not listed in this SPF record. Our server then naturally rejects the mail. Since we cannot change the SPF record of anotherdomain.com, nor have any access to the external spamfilter, we usually add the external spamfilters to the /etc/trustedmailhosts file, so that the spf check is ignored.

This is ofcourse a hassle to track and keep updated, and not the preferred method to handle this issue. Have you any other suggestions of how to deal with this? We would like to utilize the advantages of the SPF check, but would also like our customers to be able to use any external spamfilters that they choose.

Hello @KristianT,

Thanks for the detailed explanation! You mentioned not having access to the external spam filtering server. Do you have access to change any settings for your account with that service? For instance, you mentioned SpamTitan, which has instructions on enabling SPF checking at:

SPF : SpamTitan Technical Support

You could then disable SPF checking on the cPanel server, since the remote mail server would handle the verification.

Thank you.

 

[KristianT]

Thanks for replying,

We do not have access to the external spam filtering server. Our customer probably do though. However, this would not help our case. The email is delivered fine to the spam filter. It's when the spam filter relays the email to our server we get the issue. Our server then sees the email coming from the spam filter, and not from the original mail server. Hence, the failed spf check. Our server is a shared hosting server, and not every customer is using an external spam filter. We cannot disable the SPF check on the entire server, due to this customer only.

 

[cPanelMichael]

Our server is a shared hosting server, and not every customer is using an external spam filter. We cannot disable the SPF check on the entire server, due to this customer only.

Hello,

You can utilize the "whitelist_from_spf" configuration option with SpamAssassin if you want to whitelist a specific domain name from SPF verification:

Mail::SpamAssassin::Plugin::SPF - perform SPF verification tests

Information on customizing SpamAssassin is available on the following thread:

Customize SpamAssassin score

Thank you.