Sender Policy Framework SPF


Much of this article can be found on http://spf.pobox.com. Have you ever gotten spam from yourself? We have, and we have been thinking hard about how to stop it! We didn't send it. It came from a spammer. If we could stop spammers from forging mail, we could easily tell spam from ham and block the bad stuff.

Sender Policy Framework (SPF) makes it easy for a domain, whether it's an ISP, a business, a school or a vanity domain, to say, «I only send mail from these machines. If any other machine claims that I'm sending mail from there, they're lying.»

As an example, akadia.com is the sending domain, and arkum.ch is the receiver. Akadia.com publishes an SPF record, specifying which computers on the Internet can send mail as user@akadia.com.

  1. When a real Akadia user sends mail, arkum.ch receives the message from an Akadia server.
  2. Arkum checks Akadia's SPF record, to make sure the server is allowed to send mail from Akadia.
  3. If the server is listed, so Arkum gives the message a pass. If the server is not listed, so Arkum gives the message a fail. When a spammer forges mail from Akadia, Arkum receives the messages from an outside server.

DNS Setup (Publishing SPF)

Suppose akadia.com wants to publish SPF, so it adds the following line to its DNS zone file:

akadia.com. IN TXT "v=spf1 a mx ptr -all"

The v=spf1 version string identifies this as an SPF record. The -all means reject all mail by default. Domains that don't send any mail,  can get by with simply v=spf1 -all. But if the domain does send mail, it declares mechanisms that describe how legitimate mail should look. Mechanisms go in the middle, before
 -all. The first mechanism to match provides a result for the SPF query. -all always matches and so belongs at the end.

  • A: the A mechanism means the IP address of akadia.com is permitted to send mail from akadia.com. If you want to say the IP address of some-other.com is permitted, you can say a:some-other.com. You can use as many A mechanisms as you want.
  • MX: the MX mechanism means the MX servers for akadia.com all are permitted to send mail from akadia.com. If you want to say the MX servers for some-other.com are permitted, you can say mx:some-other.com. You can use as many MX mechanisms as you want.
  • PTR: the PTR mechanism says if a host has a PTR record that ends in akadia.com, it is permitted to send mail from akadia.com. If you want to say servers whose names end in some-other.com are permitted to send mail from akadia.com, you can say ptr:some-other.com. You can use as many PTR mechanisms as you want.
  • IP4: to say the network of is permitted to send mail from akadia.com, you would write ip4:

Mechanisms are interpreted left-to-right. Using v=spf1 a mx ptr -all first would check whether the connecting client was found in the A record for the domain or, failing that, in its list of MX servers. Then the MTA would check to see whether the hostname of the client matched the domain. If none of the mechanisms matched, -all would be evaluated, the result would be fail and the MTA would be justified in rejecting the mail.

You can query the SPF record with the host command:

host -tTXT akadia.com
akadia.com text "v=spf1 ip4: -all"

Checking SPF (with SpamAssassin)

SpamAssassin 3.0 supports SPF to detect and penalize header forgery. This requires Mail::SPF::Query, a relatively new package that's not yet installed on most machines. You can confirm whether you have it by entering:

perl -e 'require Mail::SPF::Query'

If you get the error "Can't locate Mail/SPF/Query.pm in @INC..." you need it.

To install Mail::SPF::Query, do the following:

Get it from http://search.cpan.org

perl Makefile.PL
make test
make install

Test SpamAssassin installation

You can test SPF by entering:

spamassassin -D < sample-nonspam.txt

and carefully reviewing the output. Specifically, look for the following lines:

debug: registering glue method for check_for_spf_helo_pass

More Information to SpamAssassin, Amavisd, Postfix can be found here.