Sender Policy Framework

I’d been assuming that there wasn’t much to be done about cases where spam got through my email filters by dint of having forged my own email address into the “From” field, or to inform others that, no, it wasn’t my server that’s been sending spam with the forged “From” information. I was wrong, there is something to be done, and one of those things is setting up Sender Policy Framework (SPF) information.

SPF is a standard for specifying which hosts may legitimately send email that bears a particular domain name. This is done via Dynamic Name Service (DNS) records that can be queried. If one is managing a DNS server directly, it can be specified in the zone record. If one is using a domain registrar’s DNS interface, then one is going to set a TXT record to do the job. The syntax is pretty simple, and there is an online form to help generate what goes in a TXT record to set up your SPF.

The TXT record contents I just set all my domains to use are as follows:

v=spf1 a mx ptr ip4: ip4: -all

The “v” field specifies the version of SPF being used. Following that, there are a series of exemptions that tell which hosts are legitimate senders of email for the domain. First, “a” means that all addresses in DNS A records are legitimate. Similarly, “mx” and “ptr” say that addresses associated with the domain’s MX and PTR records are legitimate. (The Pobox online form linked above deprecates the PTR record use.) There are two servers that specifically may send email, and I’ve included their IP4 dotted-quad addresses using the “ip4:nnn.nnn.nnn.nnn” format. The final parameter, “-all”, says that no other addresses legitimately may claim to send email on behalf of my domain. So, if you have a domain that never sends email, you could set SPF with the following TXT record:

v=spf1 -all

Now, this only helps if SMTP agents receiving email bother to check SPF information. One way this can happen is with the SpamAssassin email filtering system, when it is set to make SPF queries. This is the step that I’m working on on my servers. I have one that doesn’t have SpamAssassin installed, so adding SPF_QUERY is simply a configuration checkbox away. The other one has SpamAssassin running, but the configuration did not include SPF_QUERY, so I have to figure out how to get that enabled.

For those using the FreeBSD OS and wanting to set up SpamAssassin, here’s a helpful page.

I ran across this while investigating how to use SpamAssassin in conjunction with my bulletin board on Recently, porn and drug spammers have managed to enter comments on the BB, so I’d like to pass comment text to SpamAsssassin and get an indication of spam/not spam. I think that I can do this using “spamc -c”, but I still have a batch of work to do to get to that point. If anyone has an alternate approach I should consider, let me know.

Wesley R. Elsberry

Falconer. Interdisciplinary researcher: biology and computer science. Data scientist in real estate and econometrics. Blogger. Speaker. Photographer. Husband. Christian. Activist.