[swinog] Implementing SPF

Tue, 03 Aug 2004 14:48:38 -0700 

Hi *

SPF provides a mechanism of designating valid outbound smtp servers for a 
certain domain. This value is then matched against the Envelope-From 
(Return-Path) of an e-mail (except for SA 3.0, which also does HELO 
header-checking, but that's non-standard and merely a fallback mechanism).

The main reason, I guess, for slow SPF adaption is the fear of breaking 
something. As a hosting-only-provider we were facing the additional problem 
that many customers are not using our SMTP-server (even though they are 
advised to do so) but their ISP's. Forcing them to use our SMTP is not an 
option, so we were looking for a way of implementing SPF without breaking 
anything.

SPF is implemented as DNS TXT record. Here's an example:

  "v=spf1 mx -all"

To break this down:

  v=spf1     SPF identifier
  mx         This means that all servers listed as MX are also allowed to act
             as outbound mail servers
  -all       "all" describes what should happen if the client ip does not
             match any rule in the SPF record. This can be prefixed by:
             "-" fail, "~" soft fail, "+" pass and "?" neutral. More about
             mechanisms is described here:

  http://spf.pobox.com/mechanisms.html

Records for our customer's domains look like this:

  "v=spf1 mx ?all"

This means that if a mail comes from our server "mx" it can be considered 
legitimate. If it comes from another one "?all" don't do anything. This is 
far from being optimal, but at least we can give a hint on which server(s) 
are explicitly allowed to send mails. This information can be used for 
whitelisting.

SPF is a community effort which will only work if everyone publishes their 
records and hereby you are encouraged to do so :) If you follow the above 
example you won't break anything. More information on SPF is available here 
(see "Find out more about SPF for: .. Sysadmins"):

  http://spf.pobox.com/

Here's a wizard to generate SPF records:

  http://spf.pobox.com/wizard.html

-- 
Kind Regards

Daniel Lorch 
Full-time SPF evangelist

Hostpoint GmbH        | The Data Residence    |
Zürcherstrasse 2      | 8640 Rapperswil       | Schweiz

Tel  +41 55 220 0404  | Fax  +41 55 220 0409  | www.hostpoint.ch

_______________________________________________
swinog mailing list
[EMAIL PROTECTED]
http://lists.init7.net/cgi-bin/mailman/listinfo/swinog

Reply via email to