cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

How to block domains that do not exist with MEG ?

I am looking for a way to block non existent domain (NXDOMAIN) from reaching our users.

Lots of spoofed emails are using non-existent domain and the MEG antispam do not block them all!

I stumble on a fix on 7.5 p2, 7.0p4 that seems to cover this area.

Did anyone have tried this XML config change?

Is this the settings that will allowed me to block domains that do not exist without causing more harm than good ?

https://kb.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD24865/en_US/...

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD24991/en_US/...

add an option for the Sender Policy Framework (SPF) check to reject email

from any domain which does not exist (authoritative NXDOMAIN DNS response

from the parent domain).

(Reference: KB78097. Supersedes: 7.0h878182, 7.0h882667, 7.0h894243,

7.0h903899.)


Add an option for the Sender Policy Framework (SPF) check to reject

email from any domain which does not exist (authoritative NXDOMAIN

DNS response from the parent domain).

(Reference: KB78097.)

Correct an error where the Sender Policy Framework (SPF) library could return

an NXDOMAIN (non-existent status) for a valid domain when the SPF record for

the domain has entries that are non existent and if SPF_FailOnNXDomain /

PRA_FailOnNXDomain is enabled in the SMTP configuration.

(Low severity. Reference: KB79079.)

1 Reply

Re: How to block domains that do not exist with MEG ?

Hi dukebox,

The KB articles and documentation you are referring to are accurate.

When using SPF you may need to keep an open mind as to what the outcome will be. The problem is that, in practice, it is quite common to find SPF records that are not set in accordance with the RFC. This comment is also very much the same for SenderID or FCrDNS.

You will also find genuine senders that do not have either type of record availabie, so you need to make a decision on whether your policy will be strict or relaxed about enforcing SPF or any other form of DNS-based sender checks you choose to use.

It is difficult to cover all cases, so the best advice would be to test and monitor any policies you create and see if they cover your requirements.

As an aside, please have a look at this blog post, where I discuss options to prevent spoofing of internal domains with MEG by using permitted/blocked sender lists and SPF.

Hope this helps.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community