/
Sender Authentication

Sender Authentication

Sender authentication verifies that email originates from authorized sources and helps prevent spoofing and phishing attacks. Email Gateway Defense supports setting policies based on the SPF, DKIM, and DMARC records of sending domains, along with additional protection such as Sender Spoof Protection.

Domain-based Message Authentication, Reporting & Conformance (DMARC)

dmarcPolicy.png

DMARC builds upon SPF and DKIM to protect the header From domain, specifies how receivers should handle messages that fail authentication, and provides reporting.

Key Details

  • DMARC evaluation takes precedence over all independent sender authentication checks (SPF, DKIM, and related policies).

  • If a domain’s DMARC policy is in enforcement mode (reject or quarantine), it determines the final action, regardless of SPF/DKIM results or exemptions.

  • DMARC exemptions are based only on the header From domain, ensuring RFC compliance.

  • Avoid excessive exemptions; these weaken protection and increase the risk of spoofing.

Configuration Options

  • Yes – Applies DMARC policy checks to inbound mail.

  • No – DMARC checks are not performed on inbound mail.

  • DMARC Exempt – Allows specific domains to bypass DMARC checks. Enter the header From domain. Exemptions should be limited to trusted domains.

DomainKeys Identified Mail (DKIM)

dkimPolicy.png

DKIM uses cryptographic signatures to verify that the message content has not been altered and that it was sent by a domain authorized to sign messages.

Key Details

  • DKIM validates the domain in the d= tag of the DKIM signature, not the header From domain.

  • DMARC checks alignment between the header From domain and the DKIM d= domain.

  • Adding or modifying content after signing, such as appending disclaimers, will break DKIM. Configure disclaimers before DKIM signing or disable signing for those messages.

Configuration Options

  • Block – Emails that fail DKIM validation are blocked.

  • Quarantine – Emails that fail DKIM validation are quarantined.

  • Off – DKIM signatures are not evaluated. This is the default setting.

Note: This applies to independent DKIM checks and does not impact DMARC evaluation and enforcement.

  • DKIM Exempt – Allows specific domains to bypass DKIM checks. Use the domain found in the DKIM signature d=. Exemptions weaken authentication and should be used sparingly.

Sender Policy Framework (SPF)

spfPolicy.png

Enable, disable and manage the SPF policy features from the Inbound Settings > Sender Authentication page. To configure, see How to Configure SPF Policies in Email Gateway Defense.

SPF allows domain owners to publish authorized mail servers in DNS using TXT records. When Email Gateway Defense receives an email, it checks the envelope-from domain against the sending IP and the domain’s SPF record.

For background on authoring and troubleshooting SPF records in DNS, see:

SPF Result Types

  • Pass – The sending IP is authorized by the domain’s SPF record.

  • Fail (Hard Fail) – The SPF record explicitly states that the IP is not authorized (e.g., -all).

  • Soft Fail – The SPF record suggests that the IP is not authorized but does not require rejection (e.g., ~all).

  • Neutral – No definitive authorization or rejection (e.g., ?all).

  • None – No SPF record found for the domain.

  • PermError – The SPF record is invalid and cannot be evaluated correctly. In this case, Email Gateway Defense treats the SPF verdict as pass and mail scanning continues.

Configuration Options

  • Hard Fail

    • Block – Messages with SPF hard fail are blocked. This is the default setting.

    • Quarantine – Messages with SPF hard fail are quarantined.

    • Off – No action taken on hard fail.

  • Soft Fail

    • Block – Messages with SPF soft fail are blocked.

    • Quarantine – Messages with SPF soft fail are quarantined.

    • Off – No action taken on soft fail. This is the default setting.

  • SPF Exemptions

    • IP Address Exemptions – IPs in this list are exempt from SPF enforcement when the SPF check returns Hard Fail or Soft Fail.

    • Domain Exemptions – Domains in this list are exempt from SPF enforcement when the SPF check returns Hard Fail or Soft Fail.

    Note: SPF Hard Fail and Soft Fail share these exemption lists; adding an IP or domain exemption applies to both results.

Use exemptions only when necessary to avoid blocking or quarantining specific senders based solely on SPF hard or soft fail results.

Block on No SPF Records

When a sending domain has no SPF record (SPF result None), you can control how Email Gateway Defense handles those messages.

blockSPFpolicy.png
Configuration Options

  • Block – Messages from domains without SPF records are blocked.

  • Quarantine – Messages from domains without SPF records are quarantined.

  • Off – No action taken if the domain lacks an SPF record. This is the default setting.

  • Missing SPF Exemptions

    • IP Address Exemptions – IP addresses in this list are exempt only from the Block on No SPF Records policy.

    • Domain Exemptions – Domains in this list are exempt only from the Block on No SPF Records policy.

SPF exemptions (Hard Fail, Soft Fail, and Missing SPF) reduce protection and increase the risk of spoofing.

PTR Records

ptrPolicy.png

Email Gateway Defense can block messages from IP addresses that do not have a valid PTR (reverse DNS) record. PTR records map an IP address to a hostname and are commonly required for legitimate mail servers.

Configuration Options

  • Block on No PTR Records

    • Yes – Block messages from IP addresses without a valid PTR record. This is the default setting.

    • No – Do not block messages based on PTR records.

Important Notes

  • This check is independent of SPF, DKIM, and DMARC.

  • While useful for blocking poorly configured or suspicious servers, enabling this option may block legitimate mail from servers without PTR records.

Sender Spoof Protection

Enable Sender Spoof Protection on the Email Gateway Defense Domain Settings page when your domain does not have any DNS sender authentication settings, such as SPF or DMARC. To navigate to the Domain Settings page, select the Domains tab, then for the appropriate domain, click Edit. Under Options, locate Enable Sender Spoof Protection.

Select Yes to block emails from senders using your domain name. Sender Spoof Protection blocks messages if the domain in either the Header From or Envelope From fields matches your domain in the Envelope To field.

Important Notes

  • This feature does not protect against spoofing between different domains within the same account.

  • When Sender Spoof Protection is enabled, SPF, DKIM, and DMARC checks are not performed on these messages because they are blocked based on the From/To domain match.

  • Exempting your own address reduces protection – If you need to allow a trusted external system to send as user@yourdomain.com, create a sender policy with the Exempt action for that address. This bypasses Sender Spoof Protection for that address, which means both legitimate mail and fraudulent mail spoofing the same address could be allowed. (See the note below for an important limitation.)

Bypass Sender Spoof Protection

Create a sender policy and select Exempt as the sender policy on the Inbound Settings > Sender Policies page.

Note: A sender policy Exempt for an address is not applied when the sender and recipient are the same email address (for example, example@yourdomain.comexample@yourdomain.com). In this case, Email Gateway Defense continues to process the message normally.

Best Practices

  • Publish SPF, DKIM, and DMARC for your domain.

  • Avoid exemptions unless absolutely necessary.

  • Monitor DMARC reports to identify unauthorized senders.

  • Use all three mechanisms (SPF, DKIM, DMARC) together for maximum protection.

We value your feedback.
If you have questions, suggestions, or feedback on our documentation, contact the Campus Product Documentation team.
For general product inquiries or technical support, please contact the global Barracuda Support team.