Overview
This article describes the steps you should take to determine why the Sender Policy Framework Anti-Spam filter blocked or allowed a message item i.e. Email or Calendar item.
The Sender Policy Framework spam filter uses SPF records to stop email sent from forged IP addresses by identifying if the sender IP address is authorized. The Sender Policy Framework filter is based on a community-based effort, which requires that the senders publish the IP addresses of their mail servers in an SPF record.
Diagnosis
You can confirm that the Sender Policy Framework blocked or allowed a message by inspecting the contents of the ase_spf.txt logfile located at ..\GFI\MailEssentials\AntiSpam\DebugLogs. Furthermore, the Dashboard logs will show a Scan Result of Blocked [Sender Policy Framework] indicating that the Sender Policy Framework Anti-spam filter was triggered and blocked the Email.
Prerequisites
Confirm that the Sender Policy Framework Anti-Spam Filter is enabled by navigating to GFI MailEssentials > Anti-Spam > Anti-Spam Filters > Sender Policy Framework and checking under the General tab.
The following scenarios are applicable only if the SPF filter was enabled, otherwise troubleshooting should continue by checking other filters that are Enabled at the time that the Email in question was blocked or allowed.
Begin by obtaining the Message-ID of the email in question by either extracting it from the Internet headers of the message itself or by searching for the Email in the GFI MailEssentials > Dashboard > Logs tab and then clicking on the Details hyperlink for the particular message under review. The Message-ID will be displayed as shown below:
Solution
Case 1: Email was allowed by the module
Follow the below steps to understand the reason why Sender Policy Framework spam filter allowed an Email which you expected to have been blocked:
- Open the Sender Policy Framework Anti-Spam Filter logfile named ase_spf.txt and located at ..\GFI\MailEssentials\AntiSpam\DebugLogs using a text editor
- Search for the Message-ID from the logfile obtained in step 1
- Note: The lines in bold from the sample log file are important in understanding the reasons why the Email was allowed through.
- The Received-SPF entry in the logs will change depending on what is found in the SPF record for the sender
- If an email shows as whitelisted, remove it from the Exclusions list in the SPF Filter by navigating to GFI MailEssentials > Anti-Spam > Anti-Spam Filters > Sender Policy Framework and updating the IP Exceptions or Email Exceptions as appropriate.
- All other issues must be resolved by the sender updating the SPF record. Refer to this article for additional information on how to create an SPF record
"info ","ase_spf","---------------------------------------------------------"
"info ","ase_spf","CMTAMMessage::InitMessage (this:0x0AB44850, ctx:0xde843925) >>"
"info ","ase_spf","Message ID: <d5bd89cdcc159bd2086d58a877ae3bad@EC2AMAZ-TEDQDCP>"
"info ","ase_spf","InitMessage Exiting - checking expiry status..."
"info ","ase_spf","Initializing SPF Core"
"info ","ase_spf","SPF core Initializing..."
"info ","ase_spf","Sender Whitelist is empty ..."
"info ","ase_spf","Loading Sender whitelist ... ok"
"info ","ase_spf","CMTAMMessage::RefreshContext() <<"
"info ","ase_spf","CMTAMMessage::ProcessMessage (0xAB44850) >>"
"info ","ase_spf","Getting SMTP recipients"
"info ","ase_spf","SMTP Recipients [1]"
"info ","ase_spf","Successfully retrieved Email InfoRetriever from Propertybag"
"info ","ase_spf","Getting connecting IP from InfoRetiever"
"info ","ase_spf","Failed while Getting connecting IP from InfoRetriever"
"info ","ase_spf","Getting IP from ASE"
"info ","ase_spf","Getting HELO"
"info ","ase_spf","Getting Sender email ..."
"info ","ase_spf","Getting Sender email ... ok [administrator@ec2amaz-tedqdcp]"
"info ","ase_spf","Processing SPF. IP:172.31.26.235, Helo:EC2AMAZ-TEDQDCP, MailFrom:administrator@ec2amaz-tedqdcp"
"info ","ase_spf","Received-SPF: none (: 172.31.26.235 is neither permitted nor denied by domain of ec2amaz-tedqdcp) client-ip=172.31.26.235; envelope-from=administrator@ec2amaz-tedqdcp; helo=EC2AMAZ-TEDQDCP;"
"info ","ase_spf","SPF tested. [Not performing action]"
"info ","ase_spf","writing SpamFlag: 0"
"info ","ase_spf","CMTAMMessage::ProcessMessage (0xAB44850) <<"
"info ","ase_spf","---------------------------------------------------------"
Case 2: Email was blocked by the module
Follow the below steps to understand the reason why Sender Policy Framework spam filter blocked an Email:
- Open the Sender Policy Framework Anti-Spam Filter logfile named ase_spf.txt and located at ..\GFI\MailEssentials\AntiSpam\DebugLogs using a text editor
- Search for the Message-ID from the logfile obtained in step 1
- Note: The lines in bold from the sample log file are important in understanding the reasons why the Email was blocked.
- The Received-SPF entry in the logs will change depending on what is found in the SPF record for the sender
- SPF Fail issues must be resolved by the sender updating the SPF record. Refer to this article for additional information on how to create an SPF record
"info ","ase_spf","---------------------------------------------------------"
"info ","ase_spf","Message ID: <1adca04762dcef9d3db669d7cc15964d@EC2AMAZ-TEDQDCP>"
"info ","ase_spf","InitMessage Exiting - checking expiry status..."
"info ","ase_spf","Initializing SPF Core"
"info ","ase_spf","SPF core Initializing..."
"info ","ase_spf","Sender Whitelist is empty ..."
"info ","ase_spf","Loading Sender whitelist ... ok"
"info ","ase_spf","Getting SMTP recipients"
"info ","ase_spf","SMTP Recipients [1]"
"info ","ase_spf","Successfully retrieved Email InfoRetriever from Propertybag"
"info ","ase_spf","Getting connecting IP from InfoRetiever"
"info ","ase_spf","Non-gateway machine: 72.9.101.247"
"info ","ase_spf","Getting IP from ASE"
"info ","ase_spf","Getting HELO"
"info ","ase_spf","Getting Sender email ... ok [administrator@ec2amaz-tedqdcp]"
"info ","ase_spf","Checking sender against whitelist ..."
"info ","ase_spf","Processing SPF. IP:72.9.101.247, Helo:, MailFrom:gfitest@gfitest.com"
"info ","ase_spf","Recip Whitelist enabled"
"info ","ase_spf","MyDNS ctor"
"info ","ase_spf","dns server: () timeout 5 rr 16 <gfitest.com>"
"info ","ase_spf","dns.Query( qDomain ) = 0 ]1["
"info ","ase_spf","TEXT: v=spf1 mx -all [14]"
"info ","ase_spf","found SPF record: v=spf1 mx -all"
"info ","ase_spf","MyDNS ctor"
"info ","ase_spf","dns server: () timeout 5 rr 15 <gfitest.come>"
"info ","ase_spf","MyDNS ctor"
"info ","ase_spf","dns.Query( qDomain ) = 301 ]0["
"info ","ase_spf","query failed: err = 301 Interrupted."
"info ","ase_spf","found 0 MX records for swuoinkelm.me (herrno: 183)"
"info ","ase_spf","SPF header: version: 1 mech 2/8 mod 0/0 len=12"
"info ","ase_spf","SPF record: v=spf1 mx -all"
"info ","ase_spf","Received-SPF: fail (: domain of gfitest.com does not designate 72.9.101.247 as permitted sender) client-ip=72.9.101.247; envelope-from=gfitest@gfitest.com; helo=;"
"info ","ase_spf","SPF tested. [Performing action]"
"info ","ase_spf","Setting actions data ..."
"info ","ase_spf","Informing ASE of spam [2]..."
"info ","ase_spf","Setting block report to: 'Sender is forged (SPF Fail)'"
"info ","ase_spf","---------------------------------------------------------"
Note: If a genuine email is blocked, add an Exclusion for the sender domain or IP in the SPF Filter or alternatively Whitelist the sender.
Case 3: Sender Policy Framework filter is disabled
If the Sender Policy Framework Anti-Spam filter module is disabled, check other filters to determine which one blocked or allowed a message as described in the prerequisites section. It is recommended that the filter should stay Enabled for added protection against spam messages.
Confirm that the Sender Policy Framework Anti-Spam filter module is Enabled by navigating to GFI MailEssentials > Anti-Spam > Anti-Spam Filters > Sender Policy Framework and clicking on the General tab.