[Solved] Reject SPF failures?

Does the current version of MIAB reject SPF failures (inbound E-Mails)? Could not find Information on this.


AFAIK it does not. I am not 100% certain though. I will look for a definitive answer later today.

No, it doesn’t. We don’t do any hard filtering of that sort.


Is there any reason we do not?

It seems easy to implement:


Just guessing: high chance of false-positives can be a reason or wrongly set-up records by the senders etc.

False positives can be resolved by selecting how aggressive you wish the filters to be. Wrongly set up records by the senders are their problem not ours. I don’t see why this shouldn’t be implemented as it could make the system a little more protected from spammers and phishers.

1 Like

The thing is, for DMARC to be implemented fully SPF results should also be included. DMARC takes the DKIM and SPF authentication results and parses them. A DKIM OR SPF pass is enough to let the mail through. (provided the domains match the From:address)

As it stands MIAB is not implementing DMARC properly if it does not include SPF authentication.


The question was whether Mail-in-a-Box does a hard reject on emails that fail SPF. The answer is no — we don’t do hard rejections at all. We insert DMARC Authentication-Results headers, and those headers are correct as far as I know.

Correct. That way my only question. Rejecting SPF failures the hard way would bring a bunch of other problems. SPF alone does not really fight spam. DMARC (DKIM signature) is much more efficient and MIAB implemented it correctly. SPF is just a fraction of several meassurements and there is no real benefit of switching to “hard SPF filtering”. BTW: SPF failures will be rated “softly” by spamassassin (e.g. score SPF_FAIL = 0.9).