What is Sender Policy Framework?
Sender Policy Framework (SPF) is an attempt to control forged e-mail. SPF is not directly about stopping spam – junk email. It is about giving domain owners a way to say which mail sources are legitimate for their domain and which ones aren’t. While not all spam is forged, virtually all forgeries are spam. SPF is not anti-spam in the same way that flour is not food: it is part of the solution.
SPF was created in 2003 to help close loopholes in email delivery systems that allow spammers to “spoof” or steal your email address to send hundreds, thousands or even millions of emails illicitly.
SPF is a protocol developed by a group of motivated volunteers, joined by a mutual desire to improve the operation of the internet. It is not a commercial product offered by a for-profit corporation. The SPF protocol is being adopted by a growing number of domain hosts and Internet Service Providers (ISPs), and, as in any technology evolution, there will be some bumps on the road, but Azaleos is here to help along the way.
What does SPF actually do?
Suppose a spammer forges your e-mail address (you@yourorganization.com ) and tries to spam hundreds of thousands of addresses from somewhere other than your mail server. Without SPF in place you are sure to get hundreds if not thousands of Non-Delivery Reports (NDRs) delivered to your mailbox as SMTP lacks any built-in authentication mechanism and it’s easy to pretend to be someone you’re not.
When SPF is in place and operational, the spammer’s message is still sent from your e-mail address, but remote mail servers now have a way to verify whether or not the spammer’s e-mail server is allowed to send e-mail from your e-mail address.
If your organization says they recognize the sending IP addresses, it passes, and you can assume the sender is who they say they are. If the message fails SPF tests, it’s a forgery and the message is silently dropped without an NDR being generated.
How do I implement SPF for my domain?
First, if you have an existing SPF record (or if you don’t know if you have an existing SPF record), go to the SPF validation wizard located at http://www.kitterman.com/spf/validate.html and enter the domain name part of your e-mail address (everything to the right of the @ symbol) into the topmost box and click on “Get SPF Record (if any)“. That will tell you if your domain already has an SPF record and if its syntax is correct.
If you don’t have an SPF record or you want to work on changing yours, great! The wizard located at http://old.openspf.org/wizard.html is the place to go. It will help you develop the SPF record properly.
Once you have a draft SPF record from the wizard located at http://old.openspf.org/wizard.html you will want to review it and see if what you ended up with makes sense. Take a look at the SPF record syntax located at http://www.openspf.org/SPF_Record_Syntax to get a better understanding of what your record means. Go back to the SPF validation wizard located at http://www.kitterman.com/spf/validate.html and put the domain part of your e-mail address in the domain part of the second test and your draft record in the SPF record part (do not enclose it in quotes, just the record) and then click on “Check SPF Record”. This will tell you if the syntax of your draft record is correct. You can also use the third test in the SPF validation wizard to experiment with different IP addresses your mail might come from with different records and see that you get the results you expect. The first two tests can tell you if the syntax of your record is correct. This is the only one that can tell you if the content of the record is right for your e-mail sending architecture.
Once you have convinced yourself that your record is ready to be published or updated, you publish as a record of type TXT in your domain’s public DNS. How this is done varies considerably from provider to provider. If you don’t know how, you will need to contact your DNS provider. If you don’t know who that is, it is probably the domain registrar that you registered the domain with. If you can’t figure out who it is, we can help you figure it out.
Subscribe – To get an automatic feed of all future posts subscribe to our RSS feed here or subscribe via e-mail here. You should follow us on Twitter here.
Tags: message hygiene, spf
