Setting up SPF
Well, they've done it again. Those geniuses have come up with yet another way to screw up our email. It's called SPF or “Sender Policy Framework.” If you're reading this page, you probably know by now that SPF has nothing to do with protecting your email server against sunburn. It's a way of blocking your domain unless you make more changes to your DNS server. If your mail server doesn't follow these rules, you're assumed to be a spammer and all your outgoing email gets bounced. You will get burned.
What is SPF
SPF is an earlier version of DKIM. The recipient mail server queries your DNS server to find out if the email really came from one of your IP addresses. If not, or if you don't have SPF installed, the message is assumed to be spam, and it's bounced. Yes, it's stupid ... but you should be used to that sort of thing by now. Apparently, some people are actually using it.
The hardest part about installing SPF is accessing the OpenSPF website . The information here is taken from the Zytrax website. Since I've never been able to access the official SPF website, I can't tell if the information shown here is correct. But I've been using it, and it seems to work.
- Make sure you are running BIND 9.4 or higher.
strings /usr/local/sbin/named | grep "named version"
- Insert four lines of SPF stuff in your domain record.
These SPF records have the same format as a standard TXT record.
For example, suppose
you had one mail server for a domain called example.com. You would
probably already have an MX record like this:
; zone file fragment for example.com $ORIGIN example.com. IN MX 10 mail.example.com. mail IN A 192.168.0.4To add Sender Policy Framework stuff, you would slather the the following four SPF lines into the "@" section of your domain file:
example.com. IN TXT "v=spf1 mx -all" example.com. IN SPF "v=spf1 mx -all" mail IN TXT "v=spf1 a -all" mail IN SPF "v=spf1 a -all"Somewhere in that file, you need to specify the IP address of the mail server in an address or A record. A line like this should already be in there:
IN A 192.168.0.3That's it--much easier than DKIM. Don't forget to turn off the
nameddaemon while you're doing this. Next, increment your serial number and re-start
named. Next, wait for a couple days while the changes gradually propagate throughout the Internet. (In reality, it often takes two weeks or longer, plus the caching time specified in your zone file.) Now, you're protected from the harmful rays of the recipient's MTA.
If your email is handled by an off-site mail server, you
would use an
includeentry, like so:
example.com. IN TXT "v=spf1 include:offsite.com -all" example.com. IN SPF "v=spf1 include:offsite.com -all"This passes the responsibility onto offsite.com, and will only work if
offsite.comhas SPF set up properly.
The little punctuation mark before the
allis important. '
-' means non-matching entries will fail, '
~' means they are neither pass nor fail, and '
+' means they always pass. Using the third one means that you think SPF is valueless.
Another possibility is to validate all hosts in a given
subnet. You would change the four SPF lines to indicate your
subnet, using IPv4 Classless notation, like so:
example.com. IN TXT "v=spf1 ip4:192.168.0.3/27 -all" example.com. IN SPF "v=spf1 ip4:192.168.0.3/27 -all" mail IN TXT "v=spf1 ip4:192.168.0.3/27 -all" mail IN SPF "v=spf1 ip4:192.168.0.3/27 -all"Obviously, you would put your own network information here, not a 192 /27.
Here are the two lines we use on one of our domains. These lines are
known to work. The trick is to use one SPF and one TXT line.
my_domain_name.com. IN SPF "v=spf1 a mx a:host1.my_domain_name.com ~all" my_domain_name.com. IN TXT "v=spf1 a mx a:host1.my_domain_name.com ~all"
- It goes without saying that the above should be done on the name server that is authoritative for your domain.
There are a few other features, notably adding a DNS Black List feature. I do not recommend using these, as these DNSBLs are notoriously inaccurate. An SPF testing tool can be found at http://www.kitterman.com/spf/validate.html
Okay, let's see ... Did I miss any sunscreen jokes?