Difference between revisions of "User:Paul/sandbox/Install and configure SPF"
m (Paul moved page Install and configure SPF to User:Paul/sandbox/Install and configure SPF) |
|||
| Line 28: | Line 28: | ||
The use of <code>?all</code> means that if the other parameters are not met, then the test is neutral (not pass or fail) and <code>a</code> adds the A/AAAA record as an additional server location authorized to send mail from. More information on the various options may be found at the [[http://www.openspf.org/SPF_Record_Syntax SPF website]] as additional configurations may be more desirable. | The use of <code>?all</code> means that if the other parameters are not met, then the test is neutral (not pass or fail) and <code>a</code> adds the A/AAAA record as an additional server location authorized to send mail from. More information on the various options may be found at the [[http://www.openspf.org/SPF_Record_Syntax SPF website]] as additional configurations may be more desirable. | ||
| − | + | == Additional information == | |
| − | + | [[Common_and_useful_commands#SPF_records|View SPF records]] | |
== External links == | == External links == | ||
Revision as of 23:54, 20 May 2014
WARNING: This article is in a user sandbox, indicating it is a rough draft, and as such, is likely incomplete, contains buggy and insecure configurations, and is subject to substantial and frequent changes.
Most of the commands in this article require root privileges:
username@servername:~$ sudo /bin/bash
To perform SPF checks install postfix-policyd-spf-python:
root@servername:~# aptitude install postfix-policyd-spf-python root@servername:~# nano /etc/postfix-policyd-spf-python/policyd-spf.conf
Change:
HELO_reject = False Mail_From_reject = False
Setting False for HELO_reject and Mail_From_reject means that the message will not be rejected when an email fails the test and the results of the test will be appended to the header. If the default fail setting were used, then failure of the test would mean rejection of the email, but given the prevalance of incorrectly configured SPF records, it is better to create a Received-SPF header for downstream processing.
Create SPF DNS Record
The SPF record is a simple DNS TXT record that identifies which hosts are authorized to send mail for a given domain. Probably the most commonly used SPF record is:
v=spf1 mx -all
The -all portion of the above entry instructs servers to fail the SPF test when an email comes from any server not listed before it, which for the example record would mean any email coming from a server not listed in the mx record for the domain. This is problematic when using various services such as Gmail, BlackBerry, or Mandrill for the purpose of sending email for the domain. In these examples, the services will be used to send the mail, thus there will be a server not listed in the MX record sending mail legitimately. Of course, if these services are not going to be used, then the -all setting may be preferrable. If such services are going to be used, or the option to use them is desired, then the following SPF record may be more desirable:
v=spf1 mx a ?all
The use of ?all means that if the other parameters are not met, then the test is neutral (not pass or fail) and a adds the A/AAAA record as an additional server location authorized to send mail from. More information on the various options may be found at the [SPF website] as additional configurations may be more desirable.