Learning better SPF protection schemes

Server Pros

Active Member
Nov 27, 2015
39
3
8
Los Angeles, CA
cPanel Access Level
Root Administrator
I have been experimenting with SPF records to improve SPAM protection. I'm having a specific problem with emails that I have sent to a large system when a couple of months later after sending to them I get a message back through cPanel with a Norton removal notice, using the recipients REPLY-TO address as the sender (an easy hack, I know after 20 years), mumbo jumbo as part of the message and clearly a template containing {FRIEND:FORM} FRIEND:EMAIL} etc. The larger company swears that their system is correct but when I run a mail test and general DNS test I get a 100%. I pass an EICAR Anti-Virus test.

My SPF records are the default for my server are clear:

v=spf1 +a +mx +ip4:{my server IP} ~all

I have a default DKIM record.


But the other side is way more than I know.

rimsd.example.com. 21599 IN TXT "v=spf1 a:email.rimsd.example.com a:cmail2.sbcss.example.com a:cmail4.sbcss.example.com a:bnfilter1.sbcss.example.com a:bnfilter2.sbcss.example.com include:spf.protection.outlook.com ~all"

I'm like, what????

So the question is, 1) Do I need to improve since I'm clearly getting mail harvested on one end or the other and sent back to me, and 2) what should my SPF/DKIM records be changed to. I use the defaults.

Thanks in advance. I'm coming from PLesk v8.x through 17.5.x and stuff has changed
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
Hello @easyprosys,

Setting up a SPF records for your domains ensures that remote mail servers can use SPF verification as a means of ensuring emails from your domains are coming from a trusted sender.

SPF verification for incoming email (e.g. emails sent from remote servers to your cPanel & WHM server) is handled through the SpamAssassin. If SpamAssassin is enabled for your cPanel accounts and is not aggressive enough to detect a spoofed email, consider enabling features such as DKIM checking and Greylisting for additional protection. For DKIM verification, the following options are available under the ACL Options tab in WHM >> Exim Configuration Manager >> Basic Editor:

Allow DKIM verification for incoming messages
Reject DKIM failures


Greylisting is enabled through WHM >> Mail >> Greylisting.

Let me know if you have any questions.

Thank you.