Rob's web

Home - Techniek - Computer - Servers - SMTP server - SPF

SPF

Sender Policy Framework (SPF) is an email authentication method which ensures the sending mail server is authorized to originate mail from the email sender's domain. This authentication only applies to the email sender listed in the "envelope from" field during the initial SMTP connection. If the email is bounced, a message is sent to this address, and for downstream transmission it typically appears in the "Return-Path" header. To authenticate the email address which is actually visible to recipients on the "From:" line, other technologies such as DMARC must be used. Forgery of this address is known as email spoofing, and is often used in phishing and email spam.

The list of authorized sending hosts and IP addresses for a domain is published in the DNS records for that domain. Sender Policy Framework is defined in RFC 7208 dated April 2014 as a "proposed standard".

Installation

We install the SPF Policy Server.

# dnf install pypolicyd-spf

Configuration SPF Policy Server

Configuration

# cd /etc/python-policyd-spf/
# vi  policyd-spf.conf

Adding the SPF Policy Server to Postfix

In order for incoming messages to be validated by the SPF Policy Server, we first need to add the SPF Policy Server to our Postfix configuration as a new service (in '/etc/postfix/master.cf'):

# cd /etc/postfix/
# vi master.cf

# SPF Policy Server for Postfix
policyd-spf    unix    -    n    n    -    0
     spawn user=policyd-spf argv=/usr/libexec/postfix/policyd-spf

Because the service can't be run by the 'root' or 'postfix' user, we need to create a new user, called 'policyd-spf':

# useradd -c "SPF Policy Server for Postfix" -d /etc/python-policyd-spf -s "/sbin/nologin" policyd-spf

We can then add the new service to the checks performed in the context of the SMTP handshake on port 25. That's done by first adding the following option to the file '/etc/postfix/main.cf':

# vi main.cf
# policyd-spf service
policyd-spf_time_limit = 3600

And then adding this option to the smtp/25 service in the file '/etc/postfix/master.cf':

#vi master.cf
  -o smtpd_relay_restrictions=check_policy_service,unix:private/policyd-spf,permit
# postfix check
# systemctl restart postfix

Configuration in your public DNS servers

For each domain you have to add the SFP settings.

• a: if the sender's IP address matches the IP address present in the A record, the email is accepted.
• mx: if the email is sent from the domain's MX record, the email is accepted.
• ip4: if the sender's IP address is in the IPv4 range included in the SPF record, the email is accepted.
• ip6: if the sender's IP address is in the IPv6 range included in the SPF record, the email is accepted.
• include: if the conditions of the record being included are met, the email is accepted.

At the end of the SPF record, you specify how the receiving mail server should handle the record:

• ~all: the softfail method. If an email is sent by a host or IP address that is not included in the SPF record, the email is accepted, but may be marked as spam.
• -all: the hardfail method. If an email is sent by a host or IP address that is not included in the SPF record, the email is immediately rejected.
• +all: accept all email. Email is always allowed, which means the record does not have the intended result.
• ?all: the SPF record does not perform any additional validation. Emails from unauthorized servers are allowed.

Go to your domain DNS settings and create an new TXT entry. Enter after TXT "v=spf1 mx a ip4:a.b.c.0/24 ip6:20.../64 ~all" and leave before TXT empty. Safe the settings.

Configuration in your local DNS server

Add to the zone file:

# cd /var/named/dynamic
# vi example.com
example.com. IN TXT "v=spf1 mx a ~all"
# named-checkconf
# systemctl restart named

Checking

To test if the SPF record is set correctly check at SPF record and enter your domain.

You need to setup dkim and dmarc.

Links