User:Paul/sandbox/Install and configure SPF

WARNING: This article is in a user sandbox, indicating it is a rough draft, and as such, is likely incomplete, contains buggy and insecure configurations, and is subject to substantial and frequent changes.

Most of the commands in this article require  privileges:

username@servername:~$ sudo /bin/bash

To perform SPF checks, install :

root@servername:~# aptitude install postfix-policyd-spf-python root@servername:~# nano /etc/postfix-policyd-spf-python/policyd-spf.conf

Change: HELO_reject = False Mail_From_reject = False

Setting  for   and   means that the message will not be rejected when an email fails the test and the results of the test will be appended to the header. If the default  setting were used, then failure of the test would mean rejection of the email, but given the prevalance of incorrectly configured SPF records, it is better to create a   header for downstream processing.

Create SPF DNS Record
The SPF record is a simple DNS TXT record that identifies which hosts are authorized to send mail for a given domain. Probably the most commonly used SPF record is:

v=spf1 mx -all

The  portion of the above entry instructs servers to fail the SPF test when an email comes from any server not listed before it, which for the example record would mean any email coming from a server not listed in the mx record for the domain. This is problematic when using various services such as Gmail, BlackBerry, or Mandrill for the purpose of sending email for the domain. In these cases, the services will be used to send the mail, thus there will be a server not listed in the MX record sending mail legitimately (although, with some research, appropriate data for the records may be included). Of course, if these services are not going to be used, then the  setting may be preferable. If such services are going to be used, or the option to use them is desired, and appropriate record data is unavailable, then the following SPF record may be more desirable:

v=spf1 mx a ?all

The use of  means that if the other parameters are not met, then the test is neutral (not pass or fail) and   adds the A/AAAA record as an additional server location authorized to send mail from. More information on the various options may be found at the SPF website as additional configurations may be more desirable.

Next step
Install DKIM.

Additional information
View SPF records