Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

ES Message Log SPF

BWCBWC Cybersecurity Overlord ✭✭✭

Hi,

while checking if the latest changes in ES 10.0.11 supporting EDNS do make SPF any better, I came across some questions about the Message Log and the SPF states. I checked the Knowledge Base and the Admin Guide, but they seem not to be explained. Same goes for DKIM states, but they are kinda the same.

Below my sightings for the different states, maybe @David W can chime in here?

SPF Check Not Performed
What does that mean? Why is it not performed? I can see this state in the Message
Log for sender with and without SPF policies.

No SPF record
The name suggests there is no SPF Policy defined for the sender domain. 
This is valid for @t-online.de for example, but I have also Mails from 
@sentinelone.com in my Message Log marked as No SPF Record but they is one. 
They have a good amount of TXT records in their Zone, could this be an issue?

SPF Pass
All good, SPF policy complied. Interestingly I can see Mails from @sentinelone.com
with that state as well, which make the above "No SPF record" even more weird.

SPF Soft Failure
I guess for Policy ~all, can see only SPAM related to that state in the Log

Permanent Error
I can see this state for sender with huge SPF records or maybe to many DNS lookup.

Temporary Error
Seen mostly for SPAM sender, but also for @sonicwall.com. Does this occur when the
DNS resolver is not able to resolve temporary?

SPF disabled
I don't have any events for that, maybe when SPF is disabled in Anti-Spoof settings?

SPF Hard Failure
Mostly for SPAM mails, but also for amazon.com, which has a huge SPF record, could
this cause this event?

Neutral
I guess for Policy ?all, can see only SPAM related to that state in the Log

The confusing part is that sometimes from the same sender domain and sender ip address I can get events with different states, which is not consistent. My DNS resolvers are pretty solid so I can't see an obvoius reason in here.

--Michael@BWC

Category: Email Security Appliances
Reply

Answers

  • David WDavid W SonicWall Employee


    @BWC I'm working several different projects at the moment not just Email Security.

    I will try and get you something together over this coming week.

    It's not a simple response for this one.

    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @David W thanks, highly appreciated if you or someone else can shed some light on that matter.

    --Michael@BWC

  • Halon5Halon5 Enthusiast ✭✭

    @BWC it had always bothered me...

  • SonicAdmin80SonicAdmin80 Cybersecurity Overlord ✭✭✭

    I've now too updated to 10.0.11 and see several "SPF Check Not Performed", "Temporary Error" and "Permanent Error". Why?

  • Halon5Halon5 Enthusiast ✭✭

    Another question, Did they move the checking of SPF back to the front of the list(where it should be) and made the SPF mgmt dialog useful again?

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi guys, I cannot answer any of these questions, because sadly SNWL is radio silent on that, but there was no word in the Release Notes mentioning any change in the Judgement Order.

    --Michael@BWC

  • SonicAdmin80SonicAdmin80 Cybersecurity Overlord ✭✭✭

    I viewed my logs and checked the SPF records for sender domains, these results seem to indicate different things:

    Permanent Error: SPF record is too long for ES, although it's valid and does not have many includes or too many lookups. At least this is how it looks.

    Temporary Error: no SPF record at all, many includes, syntax error, too many lookups or long records,

    SPF Check Not Performed: senders seem to be whitelisted by users so no check was performed at all.

    That last point seems to indicate that the SPF checking is done only after looking up any whitelists. Those temporary and permanent errors don't look good either because looks like it's not consistent and mis-evaluates a lot.

  • David WDavid W SonicWall Employee

    These are correct assessments and I will be discussing with engineering about the length of records and what we are looking up.

    Obviously I wont have any immediate updates but hopefully we will be able to have them lengthen the depth we will go to do lookups.


    Permanent Error: SPF record is too long for ES, although it's valid and does not have many includes or too many lookups. At least this is how it looks.

    Temporary Error: no SPF record at all, many includes, syntax error, too many lookups or long records,

    SPF Check Not Performed: senders seem to be whitelisted by users so no check was performed at all.


    For SPF check not performed these also can be Attachments looked at by Capture.

    Capture is part of AV so the Lookups would come on a second pass and be invalid so they are not done.

    a Neutral, softfail and hardfails are determined by the SPF record itself.

    However we only take action on Hardfail.

    The others can be used in policy filters to junk or allow certain items.

    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

  • SonicAdmin80SonicAdmin80 Cybersecurity Overlord ✭✭✭

    Sounds like the SPF implementation still needs a major overhaul, even if EDNS is now somewhat or partially supported. Ideally there would be a user selectable setting on how aggressively different SPF results would affect a message to be considered spam. Like if no SPF record was found, put some more weight to it being spam.

Sign In or Register to comment.