ES Message Log SPF
BWC
Cybersecurity Overlord ✭✭✭
Hi,
while checking if the latest changes in ES 10.0.11 supporting EDNS do make SPF any better, I came across some questions about the Message Log and the SPF states. I checked the Knowledge Base and the Admin Guide, but they seem not to be explained. Same goes for DKIM states, but they are kinda the same.
Below my sightings for the different states, maybe @David W can chime in here?
SPF Check Not Performed What does that mean? Why is it not performed? I can see this state in the Message Log for sender with and without SPF policies. No SPF record The name suggests there is no SPF Policy defined for the sender domain. This is valid for @t-online.de for example, but I have also Mails from @sentinelone.com in my Message Log marked as No SPF Record but they is one. They have a good amount of TXT records in their Zone, could this be an issue? SPF Pass All good, SPF policy complied. Interestingly I can see Mails from @sentinelone.com with that state as well, which make the above "No SPF record" even more weird. SPF Soft Failure I guess for Policy ~all, can see only SPAM related to that state in the Log Permanent Error I can see this state for sender with huge SPF records or maybe to many DNS lookup. Temporary Error Seen mostly for SPAM sender, but also for @sonicwall.com. Does this occur when the DNS resolver is not able to resolve temporary? SPF disabled I don't have any events for that, maybe when SPF is disabled in Anti-Spoof settings? SPF Hard Failure Mostly for SPAM mails, but also for amazon.com, which has a huge SPF record, could this cause this event? Neutral I guess for Policy ?all, can see only SPAM related to that state in the Log
The confusing part is that sometimes from the same sender domain and sender ip address I can get events with different states, which is not consistent. My DNS resolvers are pretty solid so I can't see an obvoius reason in here.
--Michael@BWC
Category: Email Security Appliances
1
Answers
@BWC I'm working several different projects at the moment not just Email Security.
I will try and get you something together over this coming week.
It's not a simple response for this one.
David Wilbur
Technical Support Senior Advisor, Premier Services , SME Email Security
@David W thanks, highly appreciated if you or someone else can shed some light on that matter.
--Michael@BWC
@BWC it had always bothered me...
I've now too updated to 10.0.11 and see several "SPF Check Not Performed", "Temporary Error" and "Permanent Error". Why?
Another question, Did they move the checking of SPF back to the front of the list(where it should be) and made the SPF mgmt dialog useful again?
Hi guys, I cannot answer any of these questions, because sadly SNWL is radio silent on that, but there was no word in the Release Notes mentioning any change in the Judgement Order.
--Michael@BWC
I viewed my logs and checked the SPF records for sender domains, these results seem to indicate different things:
Permanent Error: SPF record is too long for ES, although it's valid and does not have many includes or too many lookups. At least this is how it looks.
Temporary Error: no SPF record at all, many includes, syntax error, too many lookups or long records,
SPF Check Not Performed: senders seem to be whitelisted by users so no check was performed at all.
That last point seems to indicate that the SPF checking is done only after looking up any whitelists. Those temporary and permanent errors don't look good either because looks like it's not consistent and mis-evaluates a lot.
These are correct assessments and I will be discussing with engineering about the length of records and what we are looking up.
Obviously I wont have any immediate updates but hopefully we will be able to have them lengthen the depth we will go to do lookups.
Permanent Error: SPF record is too long for ES, although it's valid and does not have many includes or too many lookups. At least this is how it looks.
Temporary Error: no SPF record at all, many includes, syntax error, too many lookups or long records,
SPF Check Not Performed: senders seem to be whitelisted by users so no check was performed at all.
For SPF check not performed these also can be Attachments looked at by Capture.
Capture is part of AV so the Lookups would come on a second pass and be invalid so they are not done.
a Neutral, softfail and hardfails are determined by the SPF record itself.
However we only take action on Hardfail.
The others can be used in policy filters to junk or allow certain items.
David Wilbur
Technical Support Senior Advisor, Premier Services , SME Email Security
Sounds like the SPF implementation still needs a major overhaul, even if EDNS is now somewhat or partially supported. Ideally there would be a user selectable setting on how aggressively different SPF results would affect a message to be considered spam. Like if no SPF record was found, put some more weight to it being spam.