You may be receiving spam where the sender information is specified as your domain. In this case, the recommended solution would be to add both an SPF and Caller ID record for your email domain. This will ensure that spammers may not spoof your email domain when sending email to your Kerio Connect. It will also prevent spoofing of your domain for messages sent to other email servers that perform lookups against SPF or Caller ID records.
This example uses the domain "radiusadvertising.com" as an example. The outgoing Kerio Connect for this domain is mail.radiusadvertising.com, which resolves to 63.194.168.220. We want that any email containing 'radiusadvertising.com' in the 'From' header and SMTP envelope should be refused, unless it was sent from 63.194.168.220.
This will require a special DNS configuration called a TXT record. Note that many DNS hosting providers may not support configuration of such records. If you do not host your own DNS, you will need to contact your DNS hosting provider (usually the domain registrar) to find out if they will support configuration of TXT type DNS records. We will use Network Solutions in this example, as they support both SPF and Caller ID type TXT records.
Given an outgoing IP of 63.194.168.220, our SPF and Caller ID records would be created exactly this way:
SPF
"v=spf1 mx ip4:63.194.168.220 -all"
Caller ID:
"<ep xmlns='http://ms.net/1'><out><m> <r>63.194.168.220</r> </m></out></ep>"
Note that when configuring the Caller ID record, you must create a special host entry of _ep.yourdomain.com (see the screenshot below).
For your email domain, you may simply replace the IP address from this example, with the outgoing IP address of your Kerio Connect.
In case you have multiple outgoing email servers for your domain, you can add them like this:
NOTE
SPF: ip4:63.194.168.220 ip4:63.194.168.221 ip4:63.194.168.222
Caller ID: <r>63.194.168.220</r> <r>63.194.168.221</r> <r>63.194.168.222</r>
You may verify your records using the following commands:
dig txt _ep.radiusadvertising.com +short
dig txt radiusadvertising.com +short
Or you can use the SPF checker located here.
The following images are taken from the DNS editor of Network Solutions
Considerations
Not all DNS hosting providers support configuration of 'txt' type records. The previous example uses Network Solutions. Other providers such as Go Daddy may only support SPF, but not Caller ID as it uses XML data.
If you do not host your own DNS, you will need to contact your DNS hosting provider to confirm that they support configuration of 'TXT' records.
If you have defined an IP address in your records (like in this example) you will need to update this record if the IP address of your mail server changes.
If you have created your own SPF record using the wizard at openspf.org, you will probably have a ~all at the end of the line. You will need to change this to -all in order to force a hard failure, as Kerio Connect will not block a soft fail.
Users outside of your network will not be able to relay email through the outgoing SMTP server of their Internet Service Provider if they are sending email from the email domain configured with an SPF or Caller ID record. External users should always use the Kerio Connect hosting their email domain for sending outgoing email. Some service providers may block SMTP protocol (TCP port 25). In this case you may specify an additional port for the SMTP service.
