Many spam emails are sent from a fake sender email address. Checking “email policy” records is used for filtering such messages.
The check verifies whether IP addresses of the remote SMTP server are authorized to send emails to the domain specified. Spammers thus have to use their real addresses and the unsolicited emails can be recognized quickly using different blacklists.
There are two similar technologies available for performing “email policy” records check in Kerio MailServer. The first one is Caller ID created by Microsoft, the other one is a project named SPF (Sender Policy Framework). Both technologies provide explicit verification of message senders. During this verification process, the IP addresses of SMTP servers that send mail from the specific domain are published. For each domain that supports at least one of the above technologies, a TXT record is stored in DNS with a list of IP addresses that send email from the specific domain. Kerio MailServer then compares the IP address of the SMTP server with IP addresses contained in this DNS record. This method guarantee verification of sender's trustworthiness for each message. If the DNS record does not contain the IP address the message was sent from, such message has a falsified address and it is considered as spam. This way, it is quite easy to distinguish, whether the message is spam or not.
Messages received from server that has no IP address list in the DNS record will be always delivered. For the “email policy” purposes, these emails will not be considered.
To set Caller ID and SPF in Kerio MailServer, use the tabs in Caller ID ( ) and SPF ( ) menu.
SPF and Caller ID can be applied only to email delivered by SMTP. If email is downloaded from the domain mailbox by POP3 protocol, email policy logs will not work.
The Caller ID tab enables users to configure basic settings:
This option enables/disables Caller ID.
On the Relay Control tab in the SMTP server section, it is possible to define a group of trustworthy IP addresses. Caller ID will not be checked in case of messages sent from trustworthy IP addresses (for details, see chapter 12.2 SMTP server).
All messages of this type will be logged to the Security log. Messages with invalid Caller ID will be delivered to the addressee.
Message including invalid Caller ID will be blocked on SMTP level. Senders are informed that their message cannot be delivered.
The value set here will be added to message's total score (see section 13.1 Spam Rating tab).
In case of the Caller ID method, it is recommended to use value from 1 to 3 points.
Currently the Caller ID technology has not been widely adopted. Therefore, it is often used by domains in testing mode only (the XML script's header in the corresponding DNS record includes the testing
flag). For this reason, we recommend enabling this option. If the option is not enabled, the configuration will not be considered (as if the DNS record does not include the appropriate XML script).
With this option enabled, do not set the Block the message option for messages with an invalid Caller ID.
Use this option especially for specifying backup servers. If a message is sent through a backup server, the IP address of the server does not match the ones allowed for the domain. Therefore the messages from these addresses should not be checked.
To guarantee full functionality of Caller ID, do not set any other servers than the backup ones as those not to be checked.
Click the link to Kerio Technologies web pages where the email policy DNS record for a domain can be checked.
For detailed instructions on proper configuration of DNS entry settings for Caller ID, see the official Microsoft web pages.
SPF is an open source equivalent to Caller ID developed by Microsoft. Both technologies can be used simultaneously in Kerio MailServer.
In the SPF tab, the following options are available:
Enable/disable use of SPF.
On the Relay Control tab in the SMTP server section, it is possible to define a group of trustworthy IP addresses. SPF check will not be applied to messages sent from trustworthy IP addresses (for details, see chapter 12.2 SMTP server).
Messages with an invalid SPF record will be only added to the Security log.
Message including invalid SPF will be blocked on SMTP level. Senders are informed that their message cannot be delivered.
The value set here will be added to message's total score (see section 13.1 Spam Rating tab).
In case of the SPF method, it is recommended to use value from 1 to 3 points.
Use this option especially for specifying backup servers. If a message is sent through a backup server, the IP address of the server does not match the ones allowed for the domain. Therefore the messages from these addresses should not be checked.
To guarantee full functionality of SPF, do not set any other servers than the backup ones as those not to be checked.
Details about the SPF check are displayed in the Debug log, after the appropriate settings are specified (for more information, see chapter 25.9 Debug log).