Much of this article can be found on http://spf.pobox.com. Have you ever gotten spam from
yourself? We have, and we have been
thinking hard about how to stop it! We didn't send it. It came
from a spammer. If we could stop spammers from forging mail, we could easily tell
spam from ham and block the bad stuff.
Sender Policy Framework (SPF) makes it easy for a domain,
whether it's an ISP, a business, a school or a vanity domain, to say, «I only send mail from these
machines. If any other machine claims that I'm sending mail from there, they're
As an example, akadia.com is the sending domain, and
arkum.ch is the receiver. Akadia.com publishes an SPF record, specifying which
computers on the Internet can send mail as email@example.com.
- When a real Akadia user sends mail, arkum.ch receives the message from an Akadia
- Arkum checks Akadia's SPF record, to make sure the server is
allowed to send mail from Akadia.
- If the server is listed, so
Arkum gives the message a pass.
If the server is not listed, so
Arkum gives the message a fail.
When a spammer forges mail from Akadia, Arkum
receives the messages from an outside server.
DNS Setup (Publishing SPF)
Suppose akadia.com wants to publish SPF,
so it adds the following line to its DNS zone file:
akadia.com. IN TXT "v=spf1 a mx
The v=spf1 version string identifies this as an SPF
record. The -all means reject all mail by default.
Domains that don't send any mail, can get by with simply v=spf1 -all. But if the domain does send mail, it declares
mechanisms that describe how legitimate mail should look. Mechanisms go in the middle,
-all. The first mechanism to match provides a
result for the SPF query. -all always matches and so
belongs at the end.
- A: the A mechanism means the IP address of akadia.com is permitted to send mail from akadia.com. If you want to say the IP address of some-other.com is
permitted, you can say a:some-other.com. You can use as
many A mechanisms as you want.
- MX: the MX mechanism means the MX servers for akadia.com all are permitted to send mail from akadia.com. If you want to say the MX servers for some-other.com are
permitted, you can say mx:some-other.com. You can use
as many MX mechanisms as you want.
- PTR: the PTR mechanism says if a host has a PTR record that ends in
akadia.com, it is permitted to send mail from akadia.com. If you want to say servers whose names end in some-other.com
are permitted to send mail from akadia.com, you can say
ptr:some-other.com. You can use as many PTR mechanisms
as you want.
- IP4: to say the network of 126.96.36.199/28 is permitted to send mail from
akadia.com, you would write ip4:188.8.131.52/28.
Mechanisms are interpreted left-to-right. Using v=spf1 a mx
ptr -all first would check whether the connecting client was found in the A record
for the domain or, failing that, in its list of MX servers. Then the MTA would check to
see whether the hostname of the client matched the domain. If none of the mechanisms
matched, -all would be evaluated, the result would be fail and the MTA would be justified
in rejecting the mail.
You can query the SPF record with the host command:
host -tTXT akadia.com
akadia.com text "v=spf1 ip4:184.108.40.206/28 -all"
Checking SPF (with SpamAssassin)
SpamAssassin 3.0 supports SPF to
detect and penalize header forgery. This requires Mail::SPF::Query, a relatively new
package that's not yet installed on most machines. You can confirm whether you have it by
perl -e 'require Mail::SPF::Query'
If you get the error "Can't locate Mail/SPF/Query.pm in @INC..."
you need it.
To install Mail::SPF::Query, do the following:
Get it from http://search.cpan.org
You can test SPF by entering:
spamassassin -D < sample-nonspam.txt
and carefully reviewing the output. Specifically, look for the
debug: registering glue method for check_for_spf_helo_pass
More Information to SpamAssassin, Amavisd, Postfix
can be found here.