SPF

check.spf the check module that verifies whether IP address of the client is authorized to send messages for domain in MAIL FROM address.

SPF statuses are mapped to maddy check actions in a way specified by *_action directives. By default, SPF failure results in the message being quarantined and errors (both permanent and temporary) cause message to be rejected. Authentication-Results field is generated irregardless of status.

DMARC override

It is recommended by the DMARC standard to don't fail delivery based solely on SPF policy and always check DMARC policy and take action based on it.

If enforce_early is no, check.spf module will not take any action on SPF policy failure if sender domain does have a DMARC record with 'quarantine' or 'reject' policy. Instead it will rely on DMARC support to take necesary actions using SPF results as an input.

Disabling enforce_early without enabling DMARC support will make SPF policies no-op and is considered insecure.

Configuration directives

check.spf {
    debug no
    enforce_early no
    fail_action quarantine
    softfail_action ignore
    permerr_action reject
    temperr_action reject
}

Syntax: debug boolean
Default: global directive value

Enable verbose logging for check.spf.

Syntax: enforce_early boolean
Default: no

Make policy decision on MAIL FROM stage (before the message body is received). This makes it impossible to apply DMARC override (see above).

Syntax: none_action reject|qurantine|ignore
Default: ignore

Action to take when SPF policy evaluates to a 'none' result.

See https://tools.ietf.org/html/rfc7208#section-2.6 for meaning of SPF results.

Syntax: neutral_action reject|qurantine|ignore
Default: ignore

Action to take when SPF policy evaluates to a 'neutral' result.

See https://tools.ietf.org/html/rfc7208#section-2.6 for meaning of SPF results.

Syntax: fail_action reject|qurantine|ignore
Default: quarantine

Action to take when SPF policy evaluates to a 'fail' result.

Syntax: softfail_action reject|qurantine|ignore
Default: ignore

Action to take when SPF policy evaluates to a 'softfail' result.

Syntax: permerr_action reject|qurantine|ignore
Default: reject

Action to take when SPF policy evaluates to a 'permerror' result.

Syntax: temperr_action reject|qurantine|ignore
Default: reject

Action to take when SPF policy evaluates to a 'temperror' result.