Categories: Google Apps Premier Edition / Postini :

SPF Hard Fails and Whitelist

Showing 1-5 of 5 messages
SPF Hard Fails and Whitelist Andy Serwatuk 5/30/12 11:53 AM
There's a company we deal with on a regular basis... and their IT team has this fun habit of adding mail servers but not adding them to the SPF records.
This causes a hard fail on the SPF check.
If I whitelist the domain, it still gets quarantined.
Is there a way around this? A way I can whitelist a domain to ignore SPF failures?

I realize it's a bad idea... I just want to say with absolute certainty that I have no workaround.

thanks,
Andy
Re: SPF Hard Fails and Whitelist JMINATL 6/5/12 9:53 AM
(Same issue)
 
I put in an information request ticket before implementing SPF and was told that the Approved Sender list would bypass SPF failure.  This was perfect since it meant there was no need to change process (user/service desk could continue to whitelist items caught in spam filter.)
 
When I implemented SPF for one of our companies, Adding it to the Approved Senders list (at Org or User level) did not bypass the SPF check and emails were quarantined anyway.   I have an open ticket on this - during which I was again told that the Approved Sender list would bypass the SPF check :-)  
 
I owe Postini support an example I've been meaning to get to the past few days on the problem, but I'll have to UN-fix one of the domains and delay some real mail to get it for them :-\    (Why the one I left in quarantine isn't good enough...I still don't get...)
 
There is a workaround
 
But it isn't as nice as the approved sender list since it has to be done by your Postini admins, not users.  

Go to the RPF tab on the email config.   Add the failing domain, Check the SPF box, set the response to "Pass - Skip IP Lock test" for Fail and SoftFail, Click 'Save' at the bottom.   The bad SPF emails should start being delivered.   SPF failures to other domains will still be quarantined.
 
On the bright side, there aren't that many domains out there with bad SPF information. I've only seen a handful in a couple of weeks coming into a pretty large company so you can do this yourself while Postini hopefully fixes this.
Re: SPF Hard Fails and Whitelist JMINATL 6/11/12 6:42 AM
Just an update: We were migrated from S7 to S9 a few years back.  Our MX records remained pointing at S7 however. 

Support indicates that this is why the Approved Sender list isn't working properly for SPF and we need to adjust them to point to S9.   I've adjusted our MX records and will test this week whether this resolves the issue.


Re: SPF Hard Fails and Whitelist JMINATL 6/14/12 5:03 AM
I just got a report that this resolved an issue a user had with an invalid SPF record being blocked.  After adding the sender to the Approved Senders list of the user, the block is no longer occurring.  It might be coincidental if the sender just fixed their SPF record, but barring that or an incorrect report, it does sound like adjusting our MX record to point the correct Postini system resolved the issue.
Re: SPF Hard Fails and Whitelist Andy Serwatuk 6/18/12 5:28 AM
We've always been pointed at the S9 servers.
So, that's not a fix for me unfortunately.