[plug] Sender Policy Framework (SPF)

Craig Ringer craig at postnewspapers.com.au
Wed Sep 8 17:58:21 WST 2004 

James Devenish wrote:

> SPF will not prevent anyone from spoofing your domain unless you have
> published an SPF record for your domain and recipients of spoofed mail
> are using SPF-enforcing relays. If your mail domain exists fairly
> simply, achieving (a) is merely a matter of personal awareness,
> preference and motivation. In comparison, (b) is almost completely out
> of your control since both the sender and receiver of spoofed messages
> need never interact with your network or your DNS records.

My understanding is much the same there.

> However, if you are a mail administrator, you can at least prevent some
> spoofed e-mail from being received by your users.  For readers of e-mail
> (i.e. all of us), SPF failed mail is usually "rejected" or "filtered".

I presently favour 'mangled' - mangling the From: address to indicate 
that it may be forged and/or editing the subject with a warning. I do 
not currently have SPF checking set up and working, though, so this is 
mostly intent rather than practise.

> But mail that is not rejected may have SPF headers that contain advisory
> information for "best guess" client filtering. So, for Russ, the answer
> to his question is that if he inserts an TXT record with SPF information
> in his domain (assuming it is easy to devise the correct record), then
> those recipients of mail who are behind relays that enforce SPF will be
> unable to receive e-mail that is spoofed as coming from his domain?

That sounds right, though the recipient's policy may not be to reject 
messages which fail an SPF check but rather tag or quarantine them.

> This
> is doing the "(a)" things.

Yep, and those are things the rest of us will thank him for in time ;-)

> There would be "a few" people who would
> benefit from this (at the current scale of SPF adoption). The other
> thing that he may consider is implementing SPF awareness for incoming
> mail. This would mean that he makes use of other people's SPF records,
> so that his users do not receive spoofed mail that claims to come from
> SPF-enabled domains. This would mean that he is doing the "(b)" things.

Again, agreed.

Publishing an SPF record is simple and easy unless you have a really 
terrible domain host. There's a handy tool on the SPF site that helps 
you construct a record using an interactive question and answer system. 
You then you just insert that SPF record into your DNS records in a 
'TXT' record, or ask your domain host to do so for you.

The recipient side is harder, and possibly not worth the bother yet. 
Tools like SpamAssassin and MimeDefang can be expected to have SPF 
support soon and most have add-ons for it already. MTA support can also 
be expected at some point or is already availible. I'm inclined to use 
it in SpamAssassin to demote messages which fail SPF checks (but not 
promote ones that pass them) and to tag messages that fail checks to 
warn users.

--
Craig Ringer

More information about the plug mailing list