Sender Policy Framework (SPF) is an email authentication method which ensures the sending mail server is authorized to originate mail from the email sender's domain. This authentication only applies to the email sender listed in the "envelope from" field during the initial SMTP connection. If the email is bounced, a message is sent to this address, and for downstream transmission it typically appears in the "Return-Path" header. To authenticate the email address which is actually visible to recipients on the "From:" line, other technologies such as DMARC must be used. Forgery of this address is known as email spoofing, and is often used in phishing and email spam.
The list of authorized sending hosts and IP addresses for a domain is published in the DNS records for that domain. Sender Policy Framework is defined in RFC 7208 dated April 2014 as a "proposed standard".
We install the SPF Policy Server.
# dnf install pypolicyd-spf
# cd /etc/python-policyd-spf/ # vi policyd-spf.conf
In order for incoming messages to be validated by the SPF Policy Server, we first need to add the SPF Policy Server to our Postfix configuration as a new service (in '/etc/postfix/master.cf'):
# cd /etc/postfix/ # vi master.cf # SPF Policy Server for Postfix policyd-spf unix - n n - 0 spawn user=policyd-spf argv=/usr/libexec/postfix/policyd-spf
Because the service can't be run by the 'root' or 'postfix' user, we need to create a new user, called 'policyd-spf':
# useradd -c "SPF Policy Server for Postfix" -d /etc/python-policyd-spf -s "/sbin/nologin" policyd-spf
We can then add the new service to the checks performed in the context of the SMTP handshake on port 25. That's done by first adding the following option to the file '/etc/postfix/main.cf':
# vi main.cf # policyd-spf service policyd-spf_time_limit = 3600
And then adding this option to the smtp/25 service in the file '/etc/postfix/master.cf':
#vi master.cf -o smtpd_relay_restrictions=check_policy_service,unix:private/policyd-spf,permit # postfix check # systemctl restart postfix
For each domain you have to add the SFP settings.
At the end of the SPF record, you specify how the receiving mail server should handle the record:
Go to your domain DNS settings and create an new TXT entry. Enter after TXT "v=spf1 mx a ip4:a.b.c.0/24 ip6:20.../64 ~all" and leave before TXT empty. Safe the settings.
Add to the zone file:
# cd /var/named/dynamic # vi example.com example.com. IN TXT "v=spf1 mx a ~all" # named-checkconf # systemctl restart named
To test if the SPF record is set correctly check at SPF record and enter your domain.
You need to setup dkim and dmarc.