Usually, i am configure spf to my server for outgoing purpose. The spf records are defined in public dns use txt records. But, how to enable spf checking if there connection to my server?
The following is step by step how to enable spf checking for incoming connection.
You need to enable cbpolicyd as in the following guides : https://imanudin.net/2014/09/08/how-to-install-policyd-on-zimbra-8-5/. After enable policyd, please open policyd webui (http://IPZIMBRA:7780/webui/index.php) and create some groups, policy and spf.
# Create Groups
Select Policies | Groups. Select action and add groups. given name list_domain. On comment, you can empty or filled with comment. Select a group that has been made. On action, select members and fill with your domain. See the following example. make sure disabled status is no at groups or members groups
# Create Policy
Select Policies | Main. Add new policy and give name or information like the following picture. Then submit query
select new policy has been made and select members on action. Add member and fill on source/destination with group that has been made. See the following example
Above configuration only check spf if email connection come from external domain (Gmail, Yahoo and etc) to my internal domain. If email connection come from internal domain to internal domain, or internal domain to external domain, spf checking will be ignore/skip. make sure disabled status is no
# Create SPF Check
Select SPF Checks | Configure. Select Add on Action and configure like follow. Then Submit
Make sure disabled status is no. Enable policyd checkspf and restart policyd service
su - zimbra
zmprov ms `zmhostname` zimbraCBPolicydCheckSPFEnabled TRUE
SPF checking for incoming connection has been enabled and configured. Please see zimbra.log if getting spf fail.
The following is example when getting spf fail
Mar 10 18:45:43 smtp postfix/smtpd: NOQUEUE: reject: RCPT from c117-167.nanaonet.jp[220.127.116.11]: 554 5.7.1 <firstname.lastname@example.org>: Sender address rejected: Failed SPF check; Please see http://www.openspf.org/Why?s=mfrom;id=shaftssg%40onet.pl;ip=18.104.22.168;r=smtp.imanudin.net; onet.pl, Sender is not authorized by default to use 'email@example.com' in 'mfrom' identity (mechanism '-all' matched); from=<firstname.lastname@example.org> to=<email@example.com> proto=ESMTP helo=<[22.214.171.124]>
Good luck and hopefully useful 😀