Mission : I want to simply block emails from non-existing domains
Mission Example : Pls block emails coming from ILoveMessi@BarcelonaWillWinClassico.com because this domain does not exist
Tools : Microsoft EDGE / Forefront for Exchange 2010
Go to your Edge Server, open Exchange PowerShell and run :
Set-SenderIdConfig -SpoofedDomainAction reject
Do this for all your edge servers.
If you have Exchange Forefront installed on the same box as EDGE, then open the AntiSpam configuration, go to SenderID section, and choose (Enable SenderID filtering) and (Reject) as an action
Theory If interested
I will assume you have little to no idea about SPF and SenderID, so if you already know about it, skip this section please.
Simply speaking, when an email is sent from external party to your EDGE/ Forefront , the Edge will try to do connection filtering, reputation test,etc , and then the EDGE will try to perform SenderID checks. Part of the SenderID checks is the SPF check.
SPF in a simple words is a record that you put in your public DNS to tell the whole word the following ( I AM CONTOSO COMPANY, MY PUBLIC IP(s) THAT EMAILS ARE SENT FROM ARE THOSE, IF YOU RECEIVE EMAILS FROM MY DOMAIN AND NOT ORIGINATING FROM THOSE IPS, THEN DO THE FOLLOWING PLEASE…)
This is what will happen when someone sends email to Fabrikan corporate from @contoso.com :
- A sender sends email from his machine with sender email email@example.com and the email goes to Fabrikan corporate EDGE servers. The sender email appears to come from the public IP 220.127.116.11.
- Fabrikan Edge will perform couple of tests including the SenderID tests. One of the SenderID test is the SPF test. So the Fabrikan Edge servers will contact Contoso public DNS server asking for SPF validation (its like : HEY Contoso DNS, i received email from your SMTP domain originating from 18.104.22.168, What is your reply?)
- Contoso public DNS will reply to this SPF query with one of the following answers :
4. According to the SPF result, the EDGE will query its configuration to see how to act accordingly. For example, if the SPF result is Fail, the Edge administrator can configure a reject message action. Or may be instead of rejecting, the EDGE can stamp the message header with the SPF check result so that the end user junk filter can decide what to do with it.
You can check out the SenderID configuration from Microsoft Exchange PowerShell on the EDGE server by running Get-SenderIDConfig. By default, the SpoofedDomainAction is not set to reject.
If you have Forefront installed on your EDGE, then you can open the AntiSpam configuration , and you will find a SenderID section. by default, the setting is set to Stamp header and Continue processing. This settings maps directly to the (Spoofed Email Action) setting in the Get-SenderIDConfig PowerShell Command output. Both settings controls what action should be done upon SFP Result = FAILED
Important note : Note that SPF returns many result types (FAIL, SOFTFAIL,…..), but EDGE/Forefront only gives us the option to act upon FAIL SPF result.
For all other SPF results, the action is stamp in header and continue processing. The below figure shows how stamping looks like when for example spoofing hotmail IP. As you can see, hotmail SPF check result is (SOFTFAIL) and EDGE/Forefront will only stamp the message and deliver it. As much as i know, this behavior cannot be changed
Microsoft Exchange PowerShell on Edge servers provides us with easy way to simulate SPF checks. The below screen shots shows different simulations with different SPF checks: