SPF Softfail - Quarantine

Hi wesley DugganTo pass a DMARC check, the message needs to pass validation and alignment checks for SPF or DKIM. Have you tried enabling "DKIM verification" on the XG to see how it goes?

docs.sophos.com/.../index.html

Thanks for your response. I do already have DKIM verification enabled. However the bank in question currently has their DMARC policy set to none so SPF and DKIM verification will pass regardless if they don't actually align. I would prefer these mails get quarantined. 

I have been tracking this banks SPF, DKIM & DMARC config for quite some time now. 

That is not supported in SFOS. Central Email could block / quarantine those emails. Softfail should not be used in the wild for such scenarios. You should look into this and change it at least for your domain to hardfail. 

I dont control the domain in question. this bank has had extremely relaxed security policy when it comes to email for the last 4 years ive been monitoring it. They also happen to be the major source of spam or malicious emails for us.

A bit disappointed that this is not available in XG with an email protection license and that we would have to add on another subscription to our list.

I dont control the domain in question. this bank has had extremely relaxed security policy when it comes to email for the last 4 years ive been monitoring it. They also happen to be the major source of spam or malicious emails for us.

A bit disappointed that this is not available in XG with an email protection license and that we would have to add on another subscription to our list.

That is one of the reason, it is on the a la card section on SFOS. So you can actually decide to do it on the firewall or in Central. Central could be a better match for you. You can talk to sales to get the remaining run time get accounted and move to Central. 

BTW: Just to be clear: In SFOS you cannot interact on Softfail per se, but the technologies to block a Email based on other criteria is there (DMARC for example).