Problem:
Some messages are getting blocked because of Spam and SPF or Fraud and SPF
Cause:
Checking the message header in the Proofpoint portal under the log search and specifically in the scanning information section, as in screen shot below, you should see that the cause is a combination of SPAM (Very High) and SPF Soft/hard fail)
Figure 1: 
Figure 2:
Solution:
Before we talk about the solution in this case, I would like to explain what happen when the Anti-spoofing feature is turned ON versus when it is off:
Anti-spoofing policies ON
All incoming messages will be verified against SPF first and if the check results returns a Soft Fail OR Hard Fail the system will block the message in the quarantine as FRAUD/SPF.
Anti-spoofing policies OFF
All Incoming messages are checked against SPAM (after SPF verification is done firstly) and if the message has spammy content plus it has an SPF Soft/Hard fail then the system will combine both results and quarantine the message as it is shown in the screen shot above.
So the solution would be one of the below steps:
- Add the sender to the trusted list (Email > Sender List) and/or submit the messages as false positive and letting know support [@] vircom.com so we can open a ticket and follow up with our recommendations (Figure1)
- If the Anti-spoofing feature is turned on you will need to either: (Figure 2 )
- Add the sending domain to the Anti-spoofing Exception list (not the ultimate solution we recommend) because anyone can spoof from that domain and the system will let it through since it is trusted
- Or Ask the sender to add the sending IP address to their SPF record