User:Paul/sandbox/Install and configure SPF
WARNING: This article is in a user sandbox, indicating it is a rough draft, and as such, is likely incomplete, contains buggy and insecure configurations, and is subject to substantial and frequent changes.
Most of the commands in this article require root
privileges:
username@servername:~$ sudo /bin/bash
To perform SPF checks, install postfix-policyd-spf-python
:
root@servername:~# aptitude install postfix-policyd-spf-python root@servername:~# nano /etc/postfix-policyd-spf-python/policyd-spf.conf
Change:
HELO_reject = False Mail_From_reject = False
Setting False
for HELO_reject
and Mail_From_reject
means that the message will not be rejected when an email fails the test and the results of the test will be appended to the header. If the default fail
setting were used, then failure of the test would mean rejection of the email, but given the prevalance of incorrectly configured SPF records, it is better to create a Received-SPF
header for downstream processing.
Create SPF DNS Record
The SPF record is a simple DNS TXT record that identifies which hosts are authorized to send mail for a given domain. Probably the most commonly used SPF record is:
v=spf1 mx -all
The -all
portion of the above entry instructs servers to fail the SPF test when an email comes from any server not listed before it, which for the example record would mean any email coming from a server not listed in the mx record for the domain. This is problematic when using various services such as Gmail, BlackBerry, or Mandrill for the purpose of sending email for the domain. In these cases, the services will be used to send the mail, thus there will be a server not listed in the MX record sending mail legitimately (although, with some research, appropriate data for the records may be included). Of course, if these services are not going to be used, then the -all
setting may be preferable. If such services are going to be used, or the option to use them is desired, and appropriate record data is unavailable, then the following SPF record may be more desirable:
v=spf1 mx a ?all
The use of ?all
means that if the other parameters are not met, then the test is neutral (not pass or fail) and a
adds the A/AAAA record as an additional server location authorized to send mail from. More information on the various options may be found at the SPF website as additional configurations may be more desirable.