Sender Policy Framework (SPF)

Email DNS

The Sender Policy Framework (SPF) prevents sender address forgery. It protects the envelope sender address, which is used for the delivery of messages. SPF allows the owner of a domain to specify mail sending policy like which mail servers they use to send mail from their domain.

images/webmaster/sender-policy-framework-spf.jpg

The objective is that other mail systems can check to make sure the server sending email from that domain is authorized to do so. It reduces the chance of email spoofing, phishing schemes and spam.

SPF Record Format

example.com. TXT "v=spf1 mx a:pluto.example.com include:aspmx.googlemail.com -all"

Explanation

  • v=spf1 means SPF version 1.

  • mx is the incoming mail servers (MXes) of the domain that are authorized to send mail.

  • a:pluto.example.net means that the machine pluto.example.net is authorized too.

  • include:aspmx.googlemail.com means everything considered legitimate by gmail.com is legitimate for example.com too.

  • -all means all other machines are not authorized

The SPF record always starts with the v= element. This indicates the SPF version that is used. One or more terms follow the version indicator. These define the rules for which hosts are allowed to send mail from the domain, or provide additional information for processing the SPF record. Terms are made up of mechanisms and modifiers.

The include mechanism allows you to authorize hosts outside of your administration by specifying their SPF records.

The all mechanism matches any address. This is used as the last mechanism which defines how to handle any sender IP that did not match the previous mechanisms. All mechanisms may specify qualifiers for how to handle a match:

  • + for pass
  • - for fail
  • ~ for soft fail
  • ? for neutral

The default handling rule is pass, which is the same as the + qualifier.

SPF and DKIM

Along with SPF, you should also add DKIM (Domain Keys Identified Mail)

SPF is a DNS text entry that shows a list of servers that should be considered allowed to send mail for a specific domain. DKIM is a method to verify that the contents of the messages is trustworthy, meaning that they weren't changed from the moment the message left the initial mail server.

DMARC (Domain-based Message Authentication, Reporting and Conformance) empowers SPF and DKIM by stating a clear policy and allows to set an address which can be used to send reports about the mail messages statistics gathered by receivers against the specific domain.

How Does it Work

Upon receipt of email, the message and the sender address are fetched by the receiving mail server. The receiving mail server runs an TXT DNS query against the claimed domain SPF entry. The SPF entry data is then used to verify the sender server. In case the check fails, a rejection message is given to the sender server.

Types of E-Mail Abuse

  • Spammers want to avoid receiving non-delivery notifications (bounces) to their real addresses.

  • Fraudsters want to cover their tracks and remain anonymous.

  • Computer worms want to cause confusion or just don’t care about which sender addresses they use.

  • Phishers (password fishers) want to impersonate well-known, trusted identities in order to steal passwords from users.

Sender Addresses in E-Mail

Like traditional paper letters, e-mail messages have at least two kinds of sender addresses: one on the envelope and one in the letterhead.

The envelope sender address (return-path) is used during the transport of the message from mail server to mail server. For example, to return the message to the sender in the case of a delivery failure. It is usually not displayed to the user by mail programs.

The header sender address of an e-mail message is contained in the "From" or "Sender" header and is what is displayed to the user by mail programs. Generally, mail servers do not care about the header sender address when delivering a message.