You may be receiving spam where the sender information is specified as your domain. In this case, the recommended solution would be to add both an SPF and Caller ID record for your email domain. This will ensure that spammers may not spoof your email domain when sending email to your Kerio MailServer. It will also prevent spoofing of your domain for messages sent to other email servers that perform lookups against SPF or Caller ID records.
Solution:
We will use the domain "example.com" as an example. The outgoing MailServer for this domain is mail.example.com, which resolves to 10.10.10.5. We want that any email containing 'example.com' in the 'From' header and SMTP envelope should be refused, unless it was sent from 10.10.10.5.
This will require a special DNS configuration called a TXT record. Note that many DNS hosting providers may not support configuration of such records. If you do not host your own DNS, you will need to contact your DNS hosting provider (usually the domain registrar) to find out if they will support configuration of TXT type DNS records. We will use Wifi4india Internet Services LLC in this example, as they support both SPF and Caller ID type TXT records.
Given an outgoing IP of 10.10.10.5, our SPF and Caller ID records would be created exactly this way:
SPF: "v=spf1 mx ip4:63.194.168.220 -all"
Caller ID:
<ep xmlns='http://ms.net/1'><out><m><a>10.10.10.5</a></m></out></ep>
Note that when configuring the Caller ID record, you must create a special host entry of _ep.yourdomain.com. For your email domain, you may simply replace the IP address from this example, with the outgoing IP address of your MailServer. In case you have multiple outgoing email servers for your domain, you can add them like this: SPF: ip4:63.194.168.220 ip4:63.194.168.221 ip4:63.194.168.222 Caller ID: 63.194.168.220 63.194.168.221 63.194.168.222
You may verify your records using the following commands: dig txt _ep.radiusadvertising.com +short dig txt radiusadvertising.com +short Or you can use the SPF checker at mxtoolbox.com and the Caller ID lookup at kerio.com/callerid
Considerations:
Not all DNS hosting providers support configuration of 'txt' type records. The previous example uses Wifi4india Internet Services LLC. Other providers such as Go Daddy may only support SPF, but not Caller ID as it uses XML data. If you do not host your own DNS, you will need to contact your DNS hosting provider to confirm that they support configuration of 'TXT' records.
If you have defined an IP address in your records (like in this example) you will need to update this record if the IP address of your mail server changes.
If you have created your own SPF record using the wizard at openspf.org, you will probably have a ~all at the end of the line. You will need to change this to -all in order to force a hard failure, as MailServer will not block a soft fail.
Users outside of your network will not be able to relay email through the outgoing SMTP server of their Internet Service Provider if they are sending email from the email domain configured with an SPF or Caller ID record. External users should always use the MailServer hosting their email domain for sending outgoing email. Some service providers may block SMTP protocol (TCP port 25). In this case you may specify an additional port for the SMTP service.