13.5  Email policy records check

Many spam emails are sent from a fake sender email address. Checking “email policy” records is used for filtering such messages.

The check verifies whether IP addresses of the remote SMTP server are authorized to send emails to the domain specified. Spammers thus have to use their real addresses and the unsolicited emails can be recognized quickly using different blacklists.

There are two similar technologies available for performing “email policy” records check in Kerio MailServer. The first one is Caller ID created by Microsoft, the other one is a project named SPF (Sender Policy Framework). Both technologies provide explicit verification of message senders. During this verification process, the IP addresses of SMTP servers that send mail from the specific domain are published. For each domain that supports at least one of the above technologies, a TXT record is stored in DNS with a list of IP addresses that send email from the specific domain. Kerio MailServer then compares the IP address of the SMTP server with IP addresses contained in this DNS record. This method guarantee verification of sender's trustworthiness for each message. If the DNS record does not contain the IP address the message was sent from, such message has a falsified address and it is considered as spam. This way, it is quite easy to distinguish, whether the message is spam or not.

Messages received from server that has no IP address list in the DNS record will be always delivered. For the “email policy” purposes, these emails will not be considered.

To set Caller ID and SPF in Kerio MailServer, use the tabs in Caller ID (Spam filter → Caller ID) and SPF (Spam filter → SPF) menu.

Warning

SPF and Caller ID can be applied only to email delivered by SMTP. If email is downloaded from the domain mailbox by POP3 protocol, email policy logs will not work.

Caller ID

The Caller ID tab enables users to configure basic settings:

Caller ID tab

Figure 13.7. Caller ID tab


Check the Caller ID of every incoming message

This option enables/disables Caller ID.

On the Relay Control tab in the SMTP server section, it is possible to define a group of trustworthy IP addresses. Caller ID will not be checked in case of messages sent from trustworthy IP addresses (for details, see chapter 12.2  SMTP server).

Only log this to the Security log

All messages of this type will be logged to the Security log. Messages with invalid Caller ID will be delivered to the addressee.

Block the message

Message including invalid Caller ID will be blocked on SMTP level. Senders are informed that their message cannot be delivered.

Add this value to the message's spam score

The value set here will be added to message's total score (see section 13.1  Spam Rating tab).

In case of the Caller ID method, it is recommended to use value from 1 to 3 points.

Apply this policy also to testing Caller ID records

Currently the Caller ID technology has not been widely adopted. Therefore, it is often used by domains in testing mode only (the XML script's header in the corresponding DNS record includes the testing flag). For this reason, we recommend enabling this option. If the option is not enabled, the configuration will not be considered (as if the DNS record does not include the appropriate XML script).

Warning

With this option enabled, do not set the Block the message option for messages with an invalid Caller ID.

Don't check Caller ID from...

Use this option especially for specifying backup servers. If a message is sent through a backup server, the IP address of the server does not match the ones allowed for the domain. Therefore the messages from these addresses should not be checked.

Warning

To guarantee full functionality of Caller ID, do not set any other servers than the backup ones as those not to be checked.

Check my email policy DNS records

Click the link to Kerio Technologies web pages where the email policy DNS record for a domain can be checked.

For detailed instructions on proper configuration of DNS entry settings for Caller ID, see the official Microsoft web pages.

SPF

SPF is an open source equivalent to Caller ID developed by Microsoft. Both technologies can be used simultaneously in Kerio MailServer.

SPF

Figure 13.8. SPF


In the SPF tab, the following options are available:

Enable SPF check of every incoming message

Enable/disable use of SPF.

On the Relay Control tab in the SMTP server section, it is possible to define a group of trustworthy IP addresses. SPF check will not be applied to messages sent from trustworthy IP addresses (for details, see chapter 12.2  SMTP server).

Only log this to the security log

Messages with an invalid SPF record will be only added to the Security log.

Block the message

Message including invalid SPF will be blocked on SMTP level. Senders are informed that their message cannot be delivered.

Add this value to the message's spam score

The value set here will be added to message's total score (see section 13.1  Spam Rating tab).

In case of the SPF method, it is recommended to use value from 1 to 3 points.

Don't check SPF from this IP address group

Use this option especially for specifying backup servers. If a message is sent through a backup server, the IP address of the server does not match the ones allowed for the domain. Therefore the messages from these addresses should not be checked.

Warning

To guarantee full functionality of SPF, do not set any other servers than the backup ones as those not to be checked.

Details about the SPF check are displayed in the Debug log, after the appropriate settings are specified (for more information, see chapter 25.9  Debug log).