December 18, 2009

Read an introduction to what SPF is

An Example Policy

Let's look at an example to give you an idea of how SPF works. Bob owns the domain example.net. He also sometimes sends mail through his GMail account. Since he often receives bounces about messages he didn't send, he decides to publish an SPF record in order to reduce the abuse of his domain in e-mail envelopes:

example.net. TXT "v=spf1 mx a:pluto.example.net include:gmail.com -all"

The parts of the SPF record mean the following:
v=spf1 SPF version 1

mx the incoming mail servers (MXes) of the domain are authorized to also send mail for example.net

a:pluto.example.net the machine pluto.example.net is authorized, too

include:gmail.com everything considered legitimate by gmail.com is legitimate for example.net, too

-all all other machines are not authorized

http://www.openspf.org/Introduction


I've set up records, how do I test?

There are two types of SPF testers available. There are those that you send email to, which are good for testing how actually email will respond from the computer you are sitting at. There are also those that let fill in the appropriate information and can simulate an SPF check from anyone and from anywhere.

Email based SPF testers

* You can also send mail to spfenabled@pobox.com and see what happens. If you send mail from an unlisted server it will be rejected. Please don't make up bogus addresses if that would cause random third parties to get mysterious bounce messages.
* Port25.com also provides an tool to test whether SPF is working. Send an email to check-auth@verifier.port25.com and you will receive a reply containing the results of the SPF check.
* The ESPC also provides an SPF verification tool

http://old.openspf.org/faq.html#checkers


SPF allows the owner of an Internet domain to use special format of DNS TXT records to specify which machines are authorized to transmit e-mail for that domain. For example, the owner of the example.org domain can designate which machines are authorized to send e-mail whose e-mail address in the Return-Path ends with "@example.org". Receivers checking SPF can then reject any e-mail that claims to come from that domain, but fails in a check against the IPs listed in the sender policy of this domain.

SPF protects the address in the Return-Path, that is the address to which bounces would be sent if the mail is not delivered. While the address in the Return-Path often matches other originator addresses in the mail header like "From:" or "Sender:" this is not necessarily the case, and SPF does not prevent forgeries of these other addresses.

Spammers can send e-mail with an SPF PASS result if they have an account in a domain with a sender policy, or abuse a compromised system in this domain. However, doing so makes the spam easier to trace and prosecute. An SPF PASS result from unknown strangers still guarantees that auto-replies like error messages (bounces) cannot hit innocent bystanders.

The main benefit of SPF is to people whose e-mail addresses are forged in the Return-Paths. They receive a large mass of unsolicited error messages and other auto-replies, making it difficult to use e-mail normally. If such people use SPF to specify their legitimate sending IPs with a FAIL result for all other IPs, then receivers checking SPF can reject forgeries, already reducing the amount of back-scatter. More important spammers knowing their trade will avoid forging SPF FAIL protected addresses, because they want to reach as many of their primary victims as possible - there are more than enough unprotected addresses for this abuse.

SPF has potential advantages beyond helping identify unwanted e-mail. In particular, if a sender provides SPF information, then receivers can use SPF PASS results in combination with a white list to identify known reliable senders. Scenarios like compromised systems and shared sending mailers limit this use, but at least auto-replies cannot hit innocent bystanders.


The Sender Policy Framework (SPF) is an open standard specifying a technical method to prevent sender address forgery.

1 comment: