/
How to Configure SPF Policies in Email Gateway Defense

How to Configure SPF Policies in Email Gateway Defense

If you make setting changes, allow a few minutes for the changes to take effect.

Use the steps in this article to configure how Email Gateway Defense (EGD) evaluates and enforces Sender Policy Framework (SPF) results for inbound email.

Configure SPF for Inbound Mail

  1. Log into your Barracuda Cloud Control account, and click Email Gateway Defense in the left pane.

  2. Go to the Inbound Settings > Sender Authentication page, and select from the available options in the Enable Sender Policy Framework Checking section:

    • Hard Fail

      • Block – Messages with SPF hard fail are blocked. This is the default setting.

      • Quarantine – Messages with SPF hard fail are quarantined.

      • Off – No action taken on hard fail.

    • Soft Fail

      • Block – Messages with SPF soft fail are blocked.

      • Quarantine – Messages with SPF soft fail are quarantined.

      • Off – No action taken on soft fail. This is the default setting.

  3. Click Save Changes.

Exempt Trusted IP Addresses and Domains from SPF Checks

You can exempt mail relay servers and other machines from SPF checks. Mail from these IP addresses and domains is still scanned for spam.

Exemptions reduce protection and increase the risk of spoofing.

  1. Log into your Barracuda Cloud Control account, and click Email Gateway Defense in the left pane.

  2. Go to the Inbound Settings > Sender Authentication page, and in the Enable Sender Policy Framework (SPF) Checking section, use one or both of the following:

    • SPF Exemptions by IP Address – Enter the IP Address and Netmask and optional Comment. IPs in this list are exempt from SPF enforcement when the SPF check returns Hard Fail or Soft Fail.

    • SPF Exemptions by Domain – Enter the Domain and optional Comment. Domains in this list are exempt from SPF enforcement when the SPF check returns Hard Fail or Soft Fail.

    Note: SPF Hard Fail and Soft Fail share these exemption lists; adding an IP or domain exemption applies to both results.

Note: Usage requires exact matching after the @ sign. For example, domain.com will not work for sub.domain.com. You must create a separate entry for sub.domain.com.

  1. To add a single exemption, click Add in the Actions column, then click Save changes at the top right.
    To add, edit, or remove multiple exemptions at once, click Bulk Edit. Enter one exemption per line (for example, 192.0.2.10/32 or example.com), then click Save changes.

spfPolicy.png

Block on No SPF Records

You can configure what happens when senders send mail from or through mail servers whose domains lack an SPF record.

  1. Log into your Barracuda Cloud Control account, and click Email Gateway Defense in the left pane.

  2. Go to the Inbound Settings > Sender Authentication page, and select one of the following in the Block on No SPF Records section:

    • Block – Messages from domains without SPF records are blocked.

    • Quarantine – Messages from domains without SPF records are quarantined.

    • Off – No action taken if the domain lacks an SPF record. This is the default setting.

  3. Click Save changes at the top right.

Additionally, if you have known/trusted contacts that send email from or through mail servers whose domains have no SPF records, you can create exemptions for these senders to allow their mail through while still blocking mail from other mail servers that do not have SPF records.

In the Missing SPF Exemptions section, you can exempt specific senders from the Block on No SPF Records policy:

  • Missing SPF Exemptions by IP Address – Enter the IP Address and Netmask and optional Comment. IPs in this list are exempt only from the Block on No SPF Records policy.

  • Missing SPF Exemptions by Domain – Enter the Domain and optional Comment. Domains in this list are exempt only from the Block on No SPF Records policy.

Note: Usage requires exact matching after the @ sign. For example, domain.com will not work for sub.domain.com. You must create a separate entry for sub.domain.com. Alternatively, use the Bulk Edit button to add, edit, or remove multiple IP or domain exemptions at once by entering one exemption per line.

Notes:

  • DMARC evaluation takes precedence over all independent sender authentication checks (SPF, DKIM, and related policies).

  • If a domain’s DMARC policy is in enforcement mode (reject or quarantine), that policy determines the final action, regardless of SPF or DKIM results or exemptions.

blockSPFpolicy.png

Configure SPF for Outbound Mail

To assure outbound mail from Email Gateway Defense that Barracuda Networks is the authorized sending mail service, add the following to the SPF record INCLUDE line for each domain sending outbound mail based on your Barracuda Networks instance.

For more information, see Email Gateway Defense Outbound IP Ranges.

AU (Australia)

include:spf.ess.au.barracudanetworks.com -all

CA (Canada)

include:spf.ess.ca.barracudanetworks.com -all

DE (Germany)

include:spf.ess.de.barracudanetworks.com -all

IN (India)

include:spf.ess.in.barracudanetworks.com -all

UK (United Kingdom)

include:spf.ess.uk.barracudanetworks.com -all

US (United States)

include:spf.ess.barracudanetworks.com -all

We value your feedback.
If you have questions, suggestions, or feedback on our documentation, contact the Campus Product Documentation team.
For general product inquiries or technical support, please contact the global Barracuda Support team.