• View
• Edit
• History
• Print

SPF

(redirected from Openbsd.Spf)

The Sender Policy Framework

Read up on the Sender Policy Framework.

Why?

There's nothing stopping someone from pretending to send mail from a fake address. A scammer might send an from ceo@megacorp.com as follows:

Please send me $10,000 to my temporary bank account 0123456789.

How can we determine if sender's email address is fake or real? Sender Policy Framework (SPF) is one tool.

What it does

SPF is a system that your mail server uses to check if the sender of the email comes from the right server.

Almost all mail servers will check for SPF records. So, if you don't want your mail to be marked as spam or phishing, you will want to set up proper DNS records.

How it works

Qualifier	Result	Meaning	Action
+	Pass	Can send	Accept
-	Fail	Cannot send	Reject
~	SoftFail	Cannot send but still in transition	Accept but mark
?	Neutral	Neutral	Accept
	None	No matching SPF record	Accept
	PermError	Error (bad SPF record)	Unknown
	TempError	Temporary Error	?

Mechanism	Meaning
all	Always matches
ip4:<address>/<prefix>	Matches IPv4 address/subnet
ip6:<address>/<prefix>	Matches IPv6 address/subnet
a:<domain>	Matches IPv4 address from A record (or AAAA record if IPv6); uses current domain if none given
mx:<domain>	Matches IP addresses of MX records; uses current domain MX if none given

Record	Meaning
"v=spf1 mx -all"	Allow MXes to send mail, deny all others.
"v=spf1 -all"	The domain cannot send any mail.
"v=spf1 +all"	Anyone can send mail for this domain (SPF becomes useless)
"v=spf1 ip4:192.168.0.1/24 -all"	IPs between 192.168.0.1 and 192.168.0.255 can send
"v=spf1 ip6:2001:db8::/96 -all"	The IPv6 subnet 2001:db8::/96 can send
"v=spf1 a -all"	IPs from current domain can send mail
"v=spf1 a:example.com -all"	IPs from example.com can send mail
"v=spf1 mx mx:mail.example.com -all"	IPs from MX servers for current domain and mail.example.com can send