Educause Security Discussion mailing list archives

Re: SPAM filtering

From: John McCabe <john.mccabe01 () MANHATTAN EDU>
Date: Wed, 2 Oct 2019 13:46:24 -0400

Be careful using SPF or DKIM as spam indicators. Historically, spammers
were part of the first wave of SPF adopters. Also DKIM key rotations can go
wrong.

We dealt with a vendor that kept breaking their required included SPF
record so our own SPF record kept flip flopping between valid and invalid.







On Wed, Oct 2, 2019 at 12:30 PM Thomas Carter <tcarter () austincollege edu>
wrote:

I wasn’t sure which listserv to post this on, so I thought I’d give this
one a shot.



We recently switched to Barracuda for our spam filtering solution. We
started with the default settings, but have seen a large number of valid
messages getting flagged due to incorrect DKIM and/or SPF settings,
including other .edu domains. I’ve been trying to notify the ones we find,
but I wildly underestimated the number of domains with incorrect SPF
records; they have records, they just aren’t correct (e.g. they use Office
365 for email, but don’t have Microsoft’s SPF info in their record). I
think we’re going to have to back off on filtering based on them. Do you
flag emails based on SPF FAIL/soft FAIL or incorrect DKIM? Do you make sure
it’s correct at your institution?



*Thomas Carter*
Network & Operations Manager / IT

*Austin College*
900 North Grand Avenue
Sherman, TX 75090

Phone: 903-813-2564
www.austincollege.edu



**********
Replies to EDUCAUSE Community Group emails are sent to the entire
community list. If you want to reply only to the person who sent the
message, copy and paste their email address and forward the email reply.
Additional participation and subscription information can be found at
https://www.educause.edu/community



-- 
*John McCabe *

*Senior Information Security Manager & Data Protection OfficerInformation
Technology Services*
[image: Manhattan College Logo/Shield]
Riverdale, NY 10471
Phone: 718-862-6217
john.mccabe01 () manhattan edu
www.manhattan.edu

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Current thread:

SPAM filtering Thomas Carter (Oct 02)
- Re: SPAM filtering Bandy, John (Oct 02)
- Re: SPAM filtering John McCabe (Oct 02)
- Re: SPAM filtering Frahm, Eric J Jr. (Oct 02)
- Re: SPAM filtering Dan Oachs (Oct 02)