Introduction
In part 1, I demonstrated how to set up Exchange to block spoofed email where the sending domain has a valid SPF record using the -all mechanism (HardFail).
So, what happens when you want to block or identify SoftFails also? I’ll show you how to do this in these instructions.
First, make sure that you have gone through at least these steps from part 1 before continuing:
- Create an SPF record for your domain configured with a hard fail
- Configure the InternalSMTPServers property on your transport servers
- Install the Anti-Spam agents on Exchange
Now that you’ve done that, we can continue. We’ll break these instructions down into three steps:
- SPF results in message headers (how to identify SPF SoftFails)
- How to block or mark an SPF soft fail email in Exchange 2010
- How to block or mark an SPF soft fail email in Exchange 2013 or 2016
SPF results in message headers (how to identify SPF SoftFails)
Here’s an example of a junk email that made it through the SenderID check that we configured in part 1 because it was not actually an SPF HardFail:
Received: from direct-soho-210-158-67.cbn.net.id (210.210.158.67) by
svr01.domain.co.uk (192.168.0.8) with Microsoft SMTP Server id 14.3.224.2;
Wed, 13 Jan 2016 11:36:02 +0000
From: Avril Sparrowhawk <Avril.Sparrowhawk@lescaves.co.uk>
To: “mark@domain.co.uk” <mark@domain.co.uk>
Subject: CWIH8974 PAYMENT RECEIVED
Date: Wed, 13 Jan 2016 18:36:18 +0700
Message-ID: <57B2F503302A134BB06611F503C0E502143C82B4@domain.co.uk>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.0.0.89]
Content-Type: multipart/mixed; boundary=”_006_57B2F503302A134BB06611F503C0E502143C82B4LCDPMAIL2lescav_”
X-Original-To: accounts@trinityrestaurant.co.uk
X-Virus-Scanned: ClamAV using ClamSMTP
Return-Path: Avril.Sparrowhawk@lescaves.co.uk
MIME-Version: 1.0
X-MS-Exchange-Organization-AuthSource: svr01.domain.co.uk
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-PRD: lescaves.co.uk
X-MS-Exchange-Organization-SenderIdResult: SoftFail
Received-SPF: SoftFail (svr01.domain.co.uk: domain of transitioning
Avril.Sparrowhawk@lescaves.co.uk discourages use of 210.210.158.67 as
permitted sender)
As you can see from the message headers, this is a SoftFail. The reason we can’t use the Exchange SenderID Transport Agent to block this as we did in part 1 is because it doesn’t have an option to reject an SPF SoftFail like it can do for a HardFail.
So, we can’t use the SenderID agent but we can create an Exchange Transport Rule to review the message headers for us and look for SoftFail in the Received-SPF header. I’ll demonstrate how to create this rule in Exchange 2010 – 2016 below.
How to block or mark an SPF SoftFail email in Exchange 2010:
Open up the Exchange Management Console using an account that is a member of the Organization Management group and expand down to Organization Configuration > Hub Transport:
In the right hand pane, click on “New Transport Rule”:
Give your new transport rule a name such as “SPF SoftFail” and click Next:
On the next screen, select “when the message header contains specific words”:
Click on “message header” in the bottom pane, enter “Received-SPF” and click OK:
Now, click on “specific words” in the bottom pane, enter “SoftFail”, click Add then click OK:
Also tick the option “from users that are inside or outside the organization” and select “Outside the organization”. You should now see that this transport rule applies to messages when the Received-SPF header contains SoftFail and the message is from a sender outside the organization to prevent actions being taken for internal email relayed from servers that don’t have an IP included on the SPF record for your domain:
Go ahead and click Next. You’re now prompted with a list of actions to choose to apply to the email. You can apply any action you like such as:
- prepend message subject with string (to notify the recipient that this email could be potentially harmful)
- forward the message to addresses for moderation (e.g. to forward to an Administrator to check the domain is valid and configure an exception for the domain if needed then approve the email for delivery to the end user)
- redirect the message to addresses (e.g. forward to a spam mailbox)
- send rejection message to sender with enhanced status code (reject the message with custom error)
I’ll demonstrate how to prepend a string to the subject line and also how to reject the email.
To prepend the message subject with the string “POTENTIAL SPAM (SPF SoftFail)” to notify users that they should be vigilant when opening this email, tick “prepend message subject with string” and enter your custom string in the bottom pane as below:
If you want to block the email the instead of prepend a string to the subject line then in the actions window, instead of selecting “prepend message subject with”, select “send rejection message to sender with enhanced status code”:
Create a rejection message such as “SPF SoftFail” and select an enhanced status code such as “5.7.1”:
Once done, complete the wizard, selecting the defaults.
If you’ve chosen to prepend a string to the subject line then SPF SoftFail emails will be marked like this email:
How to block or mark an SPF SoftFail email in Exchange 2013 or 2016:
Log into the Exchange Admin Center using an admin account that is a member of the Organization Management group then click on mail flow then rules:
Click on the + icon then click on “Create a new rule” and provide a name for your new rule such as SPF SoftFail:
Click on “more options…” to make the message header options visible
Once done, click on the “Apply this rule if….” drop down, select “A message header…” then select “matches these text patterns” as below:
Click on “Enter text…” and enter Received-SPF then click OK:
Then click on “Enter text patterns…” and enter SoftFail then the + icon then click OK:
We need to ensure that this rule only applies to external senders so we need to add a conditiona that the senders are outside the organization. This prevents problems with printers or other servers that are relaying through Exchange without having their IPs on the SPF record (if you’re using an SPF SoftFail on your record). To do this, click on “add condition” and select “The sender…is external/internal”:
Select “Outside the organization” then click OK:
We can now select an action for the message. As with the Exchange 2010 instructions, I’ll demonstrate how to prepend a string to the message subject and also how to reject the email:
To prepend a string to the message subject, select “prepend the subject of the message with..” (funnily enough!) and enter the text you want to add to the beginning of the subject line such as “POTENTIAL SPAM (SPF SoftFail)” then click OK then Save:
If you want to rather reject this email then instead of selecting the action “prepend the subject of the message with…”, select “Block the message…reject the message with the explanation” and enter an explanation such as SPF SoftFail:
Once done, click Save. Your rule is now enabled.
Conclusion
In part 2, I’ve demonstrated how to block or notify the end user of emails that fail the SPF checks but cause a SoftFail rather than a HardFail.
In an upcoming post, I’ll show you how to only accept emails from particular domains if they pass the SPF check.