Sender Policy Framework (SPF) details
* DNS Sender Policy Framework (SPF) aids in fighting spam. It lists the authorized mail servers for a DNS domain or host name. Receiving email servers can check SPF record to verify the authorization. In case of authorization failure, receiving email servers can reject the incoming email. An example SPF record is of the format, 'v=spf1 ip4:10.0.0.0/8 -all'.
* SPF is DNS TXT record. It consists of the following mechanisms (zero or more),
all, a, mx, ptr, ip4, ip6, include and exists
Mechanisms describe the designated outbound mailers for a domain. It can also describe domain email policy such as GPG-signed or hasbeas headers for all emails. SPF record can also have redirect and exp modifiers. Mechanisms can be prefixed with one of four qualifiers, - (fail), ~ (softfail), + (pass) and ? (neutral). Default prefix value for any mechanism is +. If no mechanisms or modifier matches, default prefix is ?. Mechanisms are evaluated in order.
* Following are the results of mechanism evaluation,
Result Intended action
none (no spf record) Accept
neutral (?) Accept
pass (+) Accept
fail (-) Reject
softfail (~) Accept but mark
TempError (temp DNS err)Accept or Reject
PermError (invalid syntax)Unspecified
* 'all' mechanism matches any sender IP/hostname and it is placed at the end of SPF record. For 'a' mechanism, all A records for a domain are tested, mechanism matches if sender IP is found among them. 'mx' mechanism means that all A records for all MX records are tested in order of priority. Sender IP should be one of them. 'ptr' mechanism means that hostname of sender IP will be looked up using PTR queries. Hostnames are validated, at least one of the A record for a PTR hostname much match the sender IP. It is best to avoid ptr mechanism because of larger no of expensive DNS lookups. ip4 mechanism defines a designated host in CIDR notation, e.g ip4:192.168.0.1/16. ip6 mechanism defines a designated IPv6 IP. 'exists' mechanism does a simple A query for the domain, which should give a result, any result to match. 'include' mechanism means that specified other domain is searched for spf record for a match. This mechanism cross administrative boundaries. It is better to give a neutral response than a pass response.
* redirect modifier is used to replace current set of SPF directives by what is mentioned in the modifier. exp modifiers enforce a TXT lookup for a domain that is shown to the sender.
* SPF is DNS TXT record. It consists of the following mechanisms (zero or more),
all, a, mx, ptr, ip4, ip6, include and exists
Mechanisms describe the designated outbound mailers for a domain. It can also describe domain email policy such as GPG-signed or hasbeas headers for all emails. SPF record can also have redirect and exp modifiers. Mechanisms can be prefixed with one of four qualifiers, - (fail), ~ (softfail), + (pass) and ? (neutral). Default prefix value for any mechanism is +. If no mechanisms or modifier matches, default prefix is ?. Mechanisms are evaluated in order.
* Following are the results of mechanism evaluation,
Result Intended action
none (no spf record) Accept
neutral (?) Accept
pass (+) Accept
fail (-) Reject
softfail (~) Accept but mark
TempError (temp DNS err)Accept or Reject
PermError (invalid syntax)Unspecified
* 'all' mechanism matches any sender IP/hostname and it is placed at the end of SPF record. For 'a' mechanism, all A records for a domain are tested, mechanism matches if sender IP is found among them. 'mx' mechanism means that all A records for all MX records are tested in order of priority. Sender IP should be one of them. 'ptr' mechanism means that hostname of sender IP will be looked up using PTR queries. Hostnames are validated, at least one of the A record for a PTR hostname much match the sender IP. It is best to avoid ptr mechanism because of larger no of expensive DNS lookups. ip4 mechanism defines a designated host in CIDR notation, e.g ip4:192.168.0.1/16. ip6 mechanism defines a designated IPv6 IP. 'exists' mechanism does a simple A query for the domain, which should give a result, any result to match. 'include' mechanism means that specified other domain is searched for spf record for a match. This mechanism cross administrative boundaries. It is better to give a neutral response than a pass response.
* redirect modifier is used to replace current set of SPF directives by what is mentioned in the modifier. exp modifiers enforce a TXT lookup for a domain that is shown to the sender.
posted by Usman Wahid at
11:50 AM
0 Comments:
Post a Comment
<< Home