User:Paul/sandbox/Install and configure SPF

WARNING: This article is in a user sandbox, indicating it is a rough draft, and as such, is likely incomplete, contains buggy and insecure configurations, and is subject to substantial and frequent changes.

Most of the commands in this article require root privileges:

username@servername:~$ sudo -i

Install SPF

To perform SPF checks, install postfix-policyd-spf-python:

root@servername:~# aptitude install postfix-policyd-spf-python
root@servername:~# nano /etc/postfix-policyd-spf-python/policyd-spf.conf

Change:

HELO_reject = False
Mail_From_reject = False

Setting False for HELO_reject and Mail_From_reject means that the message will not be rejected when an email fails the test and the results of the test will be appended to the header. If the default fail setting were used, then failure of the test would mean rejection of the email, but given the prevalance of incorrectly configured SPF records, it is better to create a Received-SPF header for downstream processing.

Create SPF DNS Record

The SPF record is a simple DNS TXT record that identifies which hosts are authorized to send mail for a given domain. Note that to support subdomains, a DNS TXT record should be created to support subdomains being used.

Probably the most commonly used SPF record is:

v=spf1 mx -all

The -all portion of the above entry instructs servers to fail the SPF test when an email comes from any server not listed before it, which for the example record would mean any email coming from a server not listed in the mx record for the domain. This is problematic when using various services such as Gmail, BlackBerry, or Mandrill for the purpose of sending email for the domain. In these cases, the services will be used to send the mail, thus there will be a server not listed in the MX record sending mail legitimately (although, with some research, appropriate data for the records may be included). Of course, if these services are not going to be used, then the -all setting may be preferable. If such services are going to be used, or the option to use them is desired, and appropriate record data is unavailable, then the following SPF record may be more desirable:

v=spf1 mx a ?all

The use of ?all means that if the other parameters are not met, then the test is neutral (not pass or fail) and a adds the A/AAAA record as an additional server location authorized to send mail from. More information on the various options may be found at the SPF website as additional configurations may be more desirable.

Domains not sending any mail

If a domain is not going to be sending any mail at all, then it is good practice to create an SPF record to protect the domain from potential abuse. A spammer may spam using a spoofed email address, and then a negative reputation may be assigned to the spoofed domain even though the owner of the domain never took part in the spamming. To aid in protecting against this, every domain should have an SPF record, and for domains not sending mail, the below record will communicate this to other servers, most especially the blacklist administrators.